our app have been rejected by apple with the following message: (i put in column the location of any api mentioned)
We found that your app uses one or more non-public APIs, which is not in compliance with the App Store Review Guidelines. The use of non-public APIs is not permissible because it can lead to a poor user experience should these APIs change.
We found the following non-public API/s in your app:
BuyFreeWinTicket_marshal___:numbers:os:, (my internal code)
getCellValidationInfo_unmarshal___:ok:, (my internal code)
AddAnimationPointForBall:nextX:nextY:forDuration:, (my internal code)
UIViewController, (?)
addSessionCookie:, (my internal code)
CanDoAutomaticLogin, (my internal code)
activeSessionIfExists, (my internal code)
AddSeperatorsToNumber:, (my internal code)
addRequestToExtendTokenForSession:connection:, (my internal code)
cworksImpression, (?)
AddFilterWithInex:, (my internal code)
ApplySuperKeypad, (my internal code)
applicationDidOpenURL:sourceApplication:, (my internal code)
clearPersistedAppEventData, (?)
canPresentMessageDialog, (?)
applicationDidOpenURL:sourceApplication:, (my internal code)
DeleteOldLogLines, (my internal code)
hideAllHUDsForView:animated:,(my internal code)
ServerRegistrationResponseOk:, (my internal code)
requestForCustomAudienceThirdPartyID:, (?)
automaticallyNotifiesObserversForKey:, (?)
addOrRemovePendingConnection:, (?)
addHEADOperation:, (3rd party ASIHTTPRequest)
NSOperationQueue, (3rd party ASIHTTPRequest)
-DisplayUserSuspendedDialogWithMessage:ReleaseByCaptcha:CaptchaURL:AndReturnTo:, (my internal code)
likeActionControllerForObjectID:, (?)
_parseDialogConfigs:, (?)
BackFromLottoLoginForNag:withEmail:andPassword:, (my internal code)
cacheRefreshDelay, (?)
FBViewController, (3rd party - looks like FB SDK)
deleteUnitTestUser:accessToken:, (?)
FathersAndMothersDisplayMothers:, (my internal code)
addRoundedRectToPath:rect:radius:, (?)
connection:didFailWithError:, (?)
createTokenFromDictionary:, (?)
FBSDKInitializeWithLaunchData:, (3rd party - looks like FB SDK)
fileExtensionsToHandleAsHTML, (3rd party ASIHTTPRequest)
_analyticsParameters, (?)
_copyValueForKey:fromDictionary:toDictionary:, (?)
appCallFromApplinkArgs_v2:applinkArgs:createTimeUTC:originalQueryParameters:, (?)
requestWithUserID:fields:dataSource:session:, (?)
FBGraphObjectPickerViewController, (3rd party - looks like FB SDK)
DisplayErrorConnectingToCheckoutServer, (my internal code)
graphObjectWrappingDictionary: (?)
If you have defined methods in your source code with the same names as the above-mentioned APIs, we suggest altering your method names so that they no longer collide with Apple's private APIs to avoid your application being flagged in future submissions.
Additionally, one or more of the above-mentioned APIs may reside in a static library included with your application. If you do not have access to the library's source, you may be able to search the compiled binary using "strings" or "otool" command line tools. The "strings" tool can output a list of the methods that the library calls and "otool -ov" will output the Objective-C class structures and their defined methods. These techniques can help you narrow down where the problematic code resides.
is that message means that Apple has Private APIs with the same signuture as the APIs mentioned above? (it means they use "-DisplayUserSuspendedDialogWithMessage:ReleaseByCaptcha:CaptchaURL:AndReturnTo:" as private signature - it is not possible)
how could we solve the problem - do we need to change all the above API names?
how could we verify we fix the problem or could we get the same error by myself (i've tried using app sccanner - it didn't find any private Api, and i've tried to use strings and otool but i don't understand what i need to look for)
it would be very helpful if someone could help us on it
about 3rd parties - we use FB SDK (ver 3.19), ASIHTTPRequest
Related
I'm having problems with the publication of an App on 'Apple Store; Apple has refused to publish the App because it found references to non-public APIs, specifically: "setMaximumLength :, MaximumLength". Unfortunately, analyzing the source code, I was not able to find the calls to these Apis. How can I solve this problem?
--- APPLE MESSAGE ---
5 PERFORMANCE: SOFTWARE REQUIREMENTS
Performance - 2.5.1
Your app uses or references the following non-public APIs:
setMaximumLength:, maximumLength
The use of non-public APIs is not permitted on the App Store because it can lead to a poor user experience should these APIs change.
--- END OF THE MESSAGE ---
Versione XCode 8.0
Versione Xamarin.Forms2.3.2.127
Xamarin for Visual Studio 4.2
Xamarin.iOS 10
You can use Apple's XCode command line tools, notably strings or otool to look inside binaries and see which may be calling that private API.
Found in this post:
https://discussions.apple.com/thread/3838251?tstart=0:
"Additionally, one or more of the above-mentioned APIs may reside in a static library included with your application. If you do not have access to the library's source, you may be able to search the compiled binary using "strings" or "otool" command line tools. The "strings" tool can output a list of the methods that the library calls and "otool -ov" will output the Objective-C class structures and their defined methods. These techniques can help you narrow down where the problematic code resides."
Is "connected" a private API? apple told me so.
Appstore was saying I have used a private API when I submit my app :
Performance - 2.5.1
Your app still uses or references the following non-public APIs:
connected
The use of non-public APIs is not permitted on the App Store because
it can lead to a poor user experience should these APIs change.
Next Steps
Please revise your app to remove any non-public APIs. If you have
defined methods in your source code with the same names as the
above-mentioned APIs, we suggest altering your method names so that
they no longer collide with Apple's private APIs to avoid your
application being flagged in future submissions.
Additionally, if you are using third party libraries, please update to
the most recent version of those libraries. If you do not have access
to the libraries' source, you may be able to search the compiled
binary using the "strings" or "otool" command line tools. The
"strings" tool can output a list of the methods that the library calls
and "otool -ov" will output the Objective-C class structures and their
defined methods. These tools can help you narrow down where the
problematic code resides. You could also use the "nm" tool to verify
if any third-party libraries are calling these APIs.
Is this sure? or they made a mistake?
Thank you very much!
I'm in process of making a new iOS tweak. I grabbed iOS Headers https://github.com/MP0w/iOS-Headers.
Later on I figured out another repository on Github named iOS Runtime Headers https://github.com/nst/iOS-Runtime-Headers
Now i'm confused. What is the difference between these two?
There are 3 main sources for headers: from the developer of the code, from class-dump, and from a runtime header dumping tool.
Apple or SDK developers will release a header file that includes the public interface they intend other developers to use. It might not include some methods/variable declarations they don't want you to see. UIView.h from Apple's SDK would be a great example of something they're hiding certain info from.
Just because they didn't include those methods in the header file, doesn't mean that instances of those classes can't respond to them. This is where a tool like class-dump comes in, which looks through the compiled Mach-O files to determine which methods/ivars the class contains, and generate a header according to that.
Entirely new classes, methods, and ivars can be added to removed during runtime, using Objective-C's runtime features. Things like categories that get loaded from other SDKs/object files won't appear in a class-dump of the original class either. For these reasons, runtime dumping tools can see what instances of these classes can actually respond to during runtime.
Each set of headers can be useful in determining the intended and unintended uses for a class, knowing the differences can help you get a clearer picture of whatever you're reverse engineering.
It's hard to say what the differences are. They are both sets of headers generated with runtime introspection. The first one says it's headers both public and private.
Just so everybody understands, both links point to sets of headers that give you access to private OS APIs. Using these will get you rejected from the app store. They're only really useful for developing apps for the developer's personal use, or for jailbroken development.
I am working with a fat static library that uses dlopen() to load interal modules(.so) files inside the static library. On stackoverflow, developers says dlopen() is a private API.
In this case is it fine to use dlopen() or being an private API it shouldn't be used in user libraries irrespective of the library nature i.e static/dynamic.
If I can't use the dlopen() then can someone point to any resource for alternative way to accomplish the same task.
Note: This is regarding baresip BSD library. (http://www.creytiv.com/)
Update: The library is first trying to load all configured modules statically and if it fails then it is trying to load them dynamically using dlopen(). so removing the dynamic loading code will resolve my problem.
dlopen is not allowed on the iOS versions < iOS 8. See e.g. here.
Using dlopen with literal parameters has always been OK.
dlopen is documented, so it’s not a private API. Just type man dlopen in your terminal, or see App Extension Programming Guide > Handling Common Scenarios, or Dynamic Library Usage Guideline >1, 2.
If you try to use dlopen with code signed by you but not included in the app reviewed, you are infringing App Review Guidelines 2.5.2:
2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other apps.
and you may get a message like this:
Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with App Store Review Guideline 2.5.2 and section 3.3.2 of the Apple Developer Program License Agreement.
This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes. This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior and/or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.
I have read that class-dump utility is used to dump headers from iphone private api's. However, it does work only for objective-c frameworks. I wanted to know how it works for frameworks written in C, example - IOSurface, IOMobileFramebuffer etc.
The second part of the question is very generic. I have an app with me downloaded from cydia or istore. How do i go about reverse engineering the app on a jailbroken deivce (if that is actually needed). To be specifc, I am able to locate the executable binary and the dylibs. I am able to see the frameworks being used. But, how do I make out what functions inside the frameworks are being called by the app ?
Thanks.
I would recommend to break down this question to two questions:
1) "I wanted to know how it works for frameworks written in C, example - IOSurface, IOMobileFramebuffer etc."
I had exactly the same question:
Getting signatures of private API methods for iOS
The answer is
a) Try to google C method to see whether somebody else has disassembled it and found method signature.
b) If nobody did this before, you can be the first who will do it
2) "how do I make out what functions inside the frameworks are being called by the app ?"
There are two types of references to functions in frameworks/libraries:
Compile time references
You use some disassembler, it will list all compile time references to frameworks/dylibs.
Runtime references
These are references when somebody does dlopen, dlsym or NSBundle to use some functions.
You will have to disassemble and look/grep through disassembled code to find where they are used. There will be strings with the names of methods which are used.