I got response from Apple Review Team:
Dear Developer,
Your app, extension, and/or linked framework appears to contain code
designed explicitly with the capability to change your app’s behavior
or functionality after App Review approval, which is not in compliance
with section 3.3.2 of the Apple Developer Program License Agreement
and App Store Review Guideline 2.5.2. This code, combined with a
remote resource, can facilitate significant changes to your app’s
behavior compared to when it was initially reviewed for the App Store.
While you may not be using this functionality currently, it has the
potential to load private frameworks, private methods, and enable
future feature changes.
This includes any code which passes arbitrary parameters to dynamic
methods such as dlopen(), dlsym(), respondsToSelector:,
performSelector:, method_exchangeImplementations(), and running remote
scripts in order to change app behavior or call SPI, based on the
contents of the downloaded script. Even if the remote resource is not
intentionally malicious, it could easily be hijacked via a Man In The
Middle (MiTM) attack, which can pose a serious security vulnerability
to users of your app.
Please perform an in-depth review of your app and remove any code,
frameworks, or SDKs that fall in line with the functionality described
above before submitting the next update for your app for review.
Best regards,
App Store Review
I check my code again and I see AFNetworking included methods: performSelector:, method_exchangeImplementations(), respondsToSelector:
I intend to tell Apple that AFNetworking is an opensource and legal but I think Apple will NOT trust me
So I have 2 questions:
Does Apple ask me to remove AFNetworking from my code after they know AFNetworking included respondsToSelector:, performSelector:, method_exchangeImplementations()
As the way Apple see AFNetworking, is AFNetworking legal? Are there any documents to prove it?
After getting the same message and reading in different forums, it is possible you are using a 3rd party service which allows you to alter the code after uploading the app to the AppStore.
The most popular service for that is Rollout.io, which I had to remove from my own app.
I strongly doubt that AFNetworking would cause you any issues (still looking for an answer from Apple myself, and will update when they do answer)
Update: Apple has approved my app, meaning it was Rollout.io indeed. I believe it'll be true for any 3rd party code injection tool.
I still have AFNetworking, so no problems there.
Related
Got Metadata Rejected from App Store. I have done a lot of research online. But still couldn't figure out exactly what needs to be done.
I did my best to make sure the wording is appropriate. Replied the message in resolution centre about what I have modified. (understood that binary is fine).
But 1 day later, Apple replied saying please make sure that your app does not violate any of the guidelines listed in our previous message.
Here is the items they are talking about.
It is just a math game I made to calculate 24 from 4 numbers. Very straight forward.
I asked in my reply about which one is the problem because there are a few items are obviously not related to my app.
Guideline 2.1 - Information Needed
This type of app has been identified as one that may violate one or
more of the following App Store Review Guidelines. Specifically, these
types of apps often:
1.1.6 - Include false information, features, or misleading metadata.
2.3.0 - Undergo significant concept changes after approval
2.3.1 - Have hidden or undocumented features, including hidden "switches" that redirect to a gambling or lottery website
3.1.1 - Use payment mechanisms other than in-app purchase to unlock features or functionality in the app
3.2.1 - Do not come from the financial institution performing the loan services
4.3.0 - Are a duplicate of another app or are conspicuously similar to another app
5.2.1 - Were not submitted by the legal entity that owns and is responsible for offering any services provided by the app
5.2.3 - Facilitate illegal file sharing or include the ability to save, convert, or download media from third party sources without explicit authorization from those sources.
5.3.4 - Do not have the necessary licensing and permissions for all the locations where the app is used
My iOS app has gone through multiple releases. I just added another feature (playing audio files using facebook audio360 tbe format), and the app got rejected with the wording:
From Apple
2. 3 Performance: Accurate Metadata Guideline 2.3.1 - Performance
We discovered that your app contains hidden features. Specifically, It
would be appropriate to remove all code obfuscation and selector
mangling from this app before resubmitting for review.
The next submission of this app may require a longer review time.
Next Steps
Review the Performance section of the App Store Review Guidelines.
Ensure your app is compliant with all sections of the App Store Review Guidelines and the Terms & Conditions of the Apple Developer
Program.
Once your app is fully compliant, resubmit your app for review.
Submitting apps designed to mislead or harm customers or evade the
review process may result in the termination of your Apple Developer
Program account. Review the Terms & Conditions of the Apple Developer
Program to learn more about our policies regarding termination.
If you believe your app is compliant with the App Store Review
Guidelines, you may submit an appeal. Alternatively, you may provide
additional details about your app by replying directly to this
message.
I am not performing "code obfuscation and selector mangling", has submitted an appeal, which was also rejected pointing to the same guideline.
I am using objective-c with some swift, Xcode 9, Product -> Archive -> Submit to App Store... Is it doing some obfuscation that I could turn off?
Perhaps your audio playing feature is using a 3rd party framework which does use code obfuscation?
In any case, you can use the /usr/bin/nm tool for outputting the symbols within your raw executable and see if any of those look "mangled" in any way.
It's most probably a 3'rd party library that does that.
I used Hopper to get to know the library.
First, unzip the ipa and get the app file.
Second, Drag it to Hopper and start scanning it.
Third, search for the mangled selectors.
I have an app in Cydia and I want to make the same application but LITE version and put it in AppStore. My question is will Apple reject my app if the check it some how. Actuality my app work with web services so I have real worked domain. And I want to use the same domain or to make another second lite-like domain of the original one...
Thank's in advance..
No, the yxflash team does a similar thing, they have a version of their application in Cydia (because, when they released it, the code was using private APIs), and they have another version (actually 3) in the AppStore called yxplayer. So from what I see there, you should be fine, apple doesn't seem to check those things.
This is an explicit violation of the iOS developer agreement; your presence in the App Store will depend on being obscure enough that Apple doesn't notice what you're doing and nobody tells them. That's not how I would want to do business, but to each their own?
7.3 No Other Distribution Authorized Under this Agreement
Except for the distribution of freely available Licensed Applications and the distribution of Applications for use on Registered Devices as set forth in Sections 7.1 and 7.2 above, no other distribution of programs or applications developed using the Apple Software is authorized or permitted hereunder. In the absence of a separate agreement with Apple, You agree not to distribute Your Application to third parties via other distribution methods or to enable or permit others to do so.
Just submit the app, you will be fine.
Apple simply can't prove that YOU also submit the same app to Cydia.
That is, you can claim that your dog/cat/fish/wife/kid used the code to submit to Cydia during your sleep
This is my first attempt to implement an anti-piracy code in my App.
I am using the Landon Fuller method (LC_ENCRYPTION_INFO).
This method is based on the App being encrypted when downloaded from the App store.
I checked and found out that downloaded Apps are indeed encrypted. I also found out that when I create my App in Xcode - even if I use Release build - the App is not encrypted yet.
Here's my question: When I upload the App to Apple using Application Loader, will they test it after it has been encrypted or will they test it in its unencrypted form? The latter will cause the App not to function properly, which will of course result in the App not being approved.
This article is old and thats the wrong way to deal with piracy. (using In-Apps you can verify purchase)
Most chances the app will be rejected because of using undocumented APIs,
the Author himself state he is not using it anymore.
quote from the page:
However, there's a problem -- none of this is documented by Apple. While most of the APIs and file formats are public, the actual distribution format is not. Apple could change the signature format, the meta-data plist, or any other distribution component at any time, at which point your copy protection may raise a false positive, and your paying customers will be wondering why you're wasting their time.
So the answer for your question is dont worry how they going to test it because it wont pass.
How can I determine if DRM was removed from iPhone application bundle (to protect it from piracy)?
I have an iPhone app which integrates with a third party web service. I use the technique described in this question to find pirates and then have the app "phone home" with the user's device ID and user ID for the web service (I haven't done anything with this information yet, but I was thinking about contacting them and asking them nicely to purchase my app).
In addition, once a user has used my app for a certain amount of usage, I limit functionality and direct the pirates to the App Store for full functionality.
To my knowledge, there's only one way to remove DRM: Crackulous.
So to find out what to look for in a cracked application, I would run Crackulous on your app and compare the app bundles. It should be fairly easy to determine what's been changed by looking at filesizes and running a diff on the files in the bundle.
Once you know what the changes are and to what file(s), just look for those changes in your application to determine if the application has been cracked.
If you find out exactly which files should be checked, please post your findings here so others can benefit from your research.
My previous Stack Overflow question may help you out: Reducing piracy of iPhone applications
Its probably worth pointing out that there are no casual "pirates". Casual users cannot download your app from the app store without buying it. All the DRM-removal schemes require to be run on a legitimately purchased copy.
As to looking at the bundle for changes, as I recall all you need to do is step through the link-loader commands and ensure that the code bundle is still tagged as encrypted. No need to compare it with anything. You'll need to read about Mach-O file format to do this, but thats not difficult, its all documented on developer.apple.com