Recent policy changes with iTunes Connect mean that any application which gives "unrestricted" access to the internet (via UIWebView) must have a 17+ rating.
I have such a feature in my app, but it is a very non-critical feature. Rather than removing it all together, I wondered if there is a way to have an age protection around these features to avoid needing the 17+ rating.
For example: could I require Facebook login and check the user's age?
Has anybody had success with techniques like this?
I've had to use UIWebView in an app before and the best way around it is to restrict it to what it can do. Do you need to give the users wide access to the web or just your site? I simply made a little 10 minute mobile port and mapped it so there was no external site access.
I doubt a Facebook login would satisfy Apple but unrestricted means giving the UIWebView full access to the web by putting in a URL bar or a search box to Google.
Related
Do i need to select YES to unrestricted Web Access if i use a WKWebView that ONLY allows one website to be displayed to the user? I have set up that they can't browse another website than one I decided.
No, then you don't need to click this setting, I've created an app that can access all websites even http and I've selected this, the app got a high age rating but got approved.
Be sure that the user cannot hop from that one site to others like if it were a search engine.
We are having an iOS web app for the iPhone 6s. This app needs user authentication in the context of licensing. The user should be able to authenticate himself and must not be able to give his own license to someone else.
Here are the ideas I was thinking of yet:
1: IMEI
If I could retrieve the IMEI using PHP or JavaScript, it would be a great start. But this is not possible, unless it's a native app. And that's just not an option here.
2: Authentication token
Passing a secret authentication token through the URL, like a serial key could work. But the user could easily give it to someone else. And checking IP addresses to detect unlicensed use is not easy, because IP addresses of mobile devices change and make it hard to distinguish one user having different IP addresses from multiple users.
I'm trying hard to think outside the box. But is there any way to authenticate the user of this iPhone web app securely?
We don't want security through obscurity solutions here; It may be not possible to make it definitely impossible to bypass. But it should be as secure as possible.
in my iPhone app, I implemented the Facebook API, to piggy back on their user identification.
Now, rather than polling Facebook every once in a while to see if the information of a logged in user has changed, I would like to use the 'User object subscriptions'. From this document I learned, that I have to create a Callback URL (done, and tested), and that my app needs to be Whitelisted.
On developers.facebook.com/apps/ I can't find a way to apply for being whitelisted, and Google doesn't seem to be my friend anymore.
I hope you are.
The docs are stating
...some of these objects may require your app to be whitelisted by Facebook for access.
Basic Realtime Updates should work without any whitelisting involved, at least they do so for myself.
Whitelisting your app is not always easy to do, as certain APIs are meant to be quite restricted at a developer level. You can find further information about whitelisting here if you have not already done so.
As far as whitelisting, in your case I believe it just a matter of your app settings and IP whitelisting, which you can find more information about here .
It seems this used to be possible, but not anymore. Here's my dilemma: I'm creating an iPad educational software app, and I want to let students log in with their Google Apps for Education accounts using OpenID-Connect.
... I guess my first question is: is the current Google+ SDK the right way to perform login against GAFE? What about the forthcoming "Google Classroom"?
So say I do this - the student pushes the "login with google button", the sdk performs an app switch to safari and lets the user log in to their google account, push the permissioning buttons, and app-switches back to my app, and the user is now logged in. Fine. At the end of the class period, the user logs out of my app and hands in their device. The next period, though, another student logs in, and because the first user has forgotten to also log out of google in safari, the second user has access to their account.
... My second question is: is this a valid concern? Seems like this would be a pretty common usage pattern.
... Third question - can I get around this? Can I make Google+ sdk use an internal UIWebView, or no web stuff at all? This is what seems like used to be possible, but no longer...
EDIT: Spoke to google tech support for apps-for-enterprise (thx M!) and they say that there is no way to authenticate against google openid-connect without going through a browser. This is, I believe, a security problem - students being kids, they will forget to log out of the browser, and the next kids will get into mischief. Oh well.
The GPPSignin class describes itself as:
It provides single sign-on via the Google+ app (if installed), Chrome
for iOS (if installed), or Mobile Safari.
Internal web views are not mentioned. You may need to implement OAuth2.0 on your own to allow your internal UIWebView to manage authorization.
Google publishes an API which includes a method to signOut. You can use it at your app's discretion in addition to the SDK requirement that a user be able to sign out manually.
https://developers.google.com/+/mobile/ios/api/interface_g_p_p_sign_in
I'm working on an iPhone app that is logging into a webservice and it's been asked of me to get the account login management into the settings page (i.e. next to Twitter, Facebook and Vimeo). From what I've been reading about the accounts framework, it appears that only those few companies have that ability.
I currently have it set up and working asking for login info periodically and polling the webservice for validation, but we're trying to move toward supporting moderately offline use, which means we need to have some sort of account info managed on the phone itself.
Can I use the built-in account framework for our own login credentials or is that not something that's available to a regular dev and I'll have to look for another way to do it on my own? Is that something that the keychain would be better for?
Using the keychain to securely store the users credentials is a good idea to start.
If I am understanding your question about a "built-in account framework", I don't believe there is a local framework for account management on the device itself that I am aware of that would be useful in this circumstance.
I've had to build an app that needed to authenticate to a web service that also needed to have some offline access. I ended up recording the validated authentication date and time in the NSUserDefaults and would let the user use the app for a 48 hours period before they had to re-authenticate. Their data was queued locally and when they had online access again, I would re-authenticate and then sync the data. Not the most elegant solution but it fit the project.
I used AFNetworking (http://afnetworking.com) to track the changes in network access and used to blocks to respond to the changes.