I know ASIHTTPRequest works perfectly well with HTTPS. All we need is this one line of code:
[myASIHTTPRequest setValidatesSecureCertificate:NO]
Here's my question, I don't have any HTTPS certificates approved by any authority, including the US government. And I am not a US citizen, and my app isn't targeted at the US market. When I submit an app containing the above HTTPS code,
Do I need to check the encryption box when submitting?
If I don't check that box, will the HTTPS code be detected? (Like an private API?)
If I check that box, will I get rejected? (since I don't have any certificates approved by any authority)
If I have to get a certificate approved by someone before my app get approved by the App Store, how long will this apply-and-get-approved process be, and what about the cost?
Thanks in advance!
Do I need to check the encryption box when submitting?
No. Your not encrypting any data on the device, it's only transport encryption provided by apple so don't have to tick the box.
If I don't check that box, will the HTTPS code be detected? (Like an
private API?)
As above, it doesn't matter.
If I check that box, will I get rejected? (since I don't have any
certificates approved by any authority)
If you tick the box you have to fill out a lot more information and your in for a long long wait just getting the legal stuff squared away before you even get to the app review..
If I have to get a certificate approved by someone before my app get
approved by the App Store, how long will this apply-and-get-approved
process be, and what about the cost?
You buy a certificate from any root certificate authority. Certificates expire, so you have to renew it when it runs out. The cost depends on who you buy the certificate from. I would recommend that you shop. You can also get wildcard certificates e.g. *.example.com that would allow you to setup any site ending in .example.com.
The accepted answer is simply wrong, and following its advice puts your app in danger of being removed from the App Store. You should look at the FAQ for Worldwide Trade Compliance on the iTunes Connect site. It clearly states that even if you use iOS-provided HTTPS, you still need to submit an ERN request to the US government. Also, it does not matter that you live outside the US, as your app is distributed by a company (Apple) in the US.
See this blog post for more details, especially the comments, as BIS has recently made it easier to apply.
Related
I am a developer and I am making an app for my client.
I have indie developer account so During testing period I am using client's UDID to build ipa file so they can test on their iOS devices.
Now client will distribute final ipa file into itunes connect.
so What are the different legal solutions for this?
Assume that they have indie developer account too and client is non-technical so they don't want to mess with xcode or source code.
And in future I will do the same for other clients too.
In order to submit an app to iTunesConnect, it has to be signed with a valid distribution certificate and provisioning profile that match the developer account they are submitted to. That means that someone (whether it's you or your client) needs to create an appID, a distribution certificate and a matching app store provisioning profile that you will then use in Xcode to sign the ipa that will be submitted to the store.
Since your client isn't a technical person and you will most likely be able to do that process much quicker and more efficiently than he/she will, the best solution would be for your client to simply give you the credentials to the developer account and for you to perform these steps there. If that's not an option, and your client has a company account (and not a personal account), he/she can give you access to their account by adding you to their development team - that way, you'll still be able to perform the necessary actions on the account, without having the admin's personal credentials.
As for the submission itself, once you have a signed archive, you can either submit it directly via Xcode or you can send the signed ipa to the client, and he/she can submit it via Application Loader from their admin credentials. But, you will still have to sign it with valid certificate/profile from the right developer account.
I hope this makes sense and makes things a bit clearer. Good luck.
My app is a sync solution (imagine dropbox).
The user needs to sign in to access the app's features, and if he does not have any account already created, he can sign up.
The sign up asks for email id verification, and this email id is also used if the user has forgotten his password to send him one.
but Apple has rejected this app saying:
17.2: Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected
We found that your app requires customers to register with personal information to access non-account-based features, which is not in compliance with the App Store Review Guidelines.
Apps cannot require user registration prior to allowing access to app features and content that are not associated specifically to the user. User registration that requires the sharing of personal information must be optional or tied to account-specific functionality. Additionally, the requested information must be relevant to the features.
Although guideline 11.6 of the App Store Review Guidelines requires an application to make subscription content available to all the iOS devices owned by a single user, it is not appropriate to force user registration to meet this requirement; such user registration must be made optional.
It would be appropriate to make it clear to the user that registering will enable them to access the content from any of their iOS devices, and to provide them a way to register at any time, if they wish to later extend access to additional iOS devices
Please help me solve this. Many apps like dropbox/facebook require login.
I don't get the exact reason why they rejected my app.
Also, please guide about the in app purchase, why registering cannot be mandatory
Asked App Store Review people for clarification on their rejection.
They accepted it. and the app got approved :D
Its on Appstore now :)
I also Faced this kind of Problem and my app also Rejected due to this.And Again I Changed my App flow Like User Registration will be Optional. User can See all the Feature of the app with out Registration by skipping this step.If he want to do something user-specific then you can ask to register such as : (user like,comment,photo upload etc) or else he can use the contents and features which are public.
in Case of in-app Purchase You can Prompt user that if He will Register with your app he can able to use this Content in his all devices.
It would be appropriate to make it clear to the user that registering will enable them to access the content from any of their iOS devices, and to provide them a way to register at any time, if they wish to later extend access to additional iOS devices
Apple does not allow apps that require you to share person information to work, like an e-mail address.
You options are, remove the need for an e-mail address or remove account creation form you app and move it to a website.
It also states that you app is asking to create an account to access the full app and even needs the account or acces features that do not require the user to have an account. You can make those features available with out the account creating you might be able to get thru the review.
The reason apps like Facebook and Dropbox got thru the review proces is because they don't have a register option which is in app only. They redirect to a website.
I recently spoke to an Apple Rep over the phone in regards to an app of mine that was also accused of violating clause 17.2.
I explained to him that the email would be used for password recovery, monitoring transactions within the marketplace, and managing any inappropriate behavior (such as users uploading offensive or copyrighted content). The rep responded, "Sir, the clause states 'Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected'. I cannot allow you to require your users to submit their emails if its not account-based". He did not seem to understand that the emails are account-based for the very sole purpose of security.
I did mention to him that Instagram and Facebook alike require logins at startup. He simply replied, "Yes but those apps are entirely account-based."
Honestly, I felt he was blindly following Apple's Guidelines ("Because that's what it says we must strictly follow!"). He had little understanding of how social networking apps operate, and even less understanding of the law (specifically the DMCA - on a separate issue). Explaining to them how all that works proves to be futile; they wont budge because they are asked to follow Apple's BROAD Clauses as strictly as they do.
My conclusion: I had to compromise the app's user flow such that the app's registration page can be skipped, and all other functions within its marketplace were locked to non-registered users. It makes no sense.
The sign up asks for email id verification, and this email id is also used if the user has forgotten his password to send him one.
Apps cannot require user registration prior to allowing access to app features and content that are not associated specifically to the user.
It seems to me that the point is that you are asking the user to provide his email address as a step towards the creation of a user account. This is different from what dropbox and other apps do (i.e, you provide your credentials for your dropbox account, which is different from your email address, although it can be the same).
You may either remove altogether email verification, or you could postpone it to a later point when you have made clear to the user that this is required to access private information.
I got the same thing last week and this is Apple's reply:
As for the 17.2 issue, a nickname, avatar, or sharing are not inherent or specific features of those social networks, and thus, the user should not be required to register with those services, or provide you with access to their social network accounts. The user should not be prevented from using your app and service if they do not provide this information.
Instead, it would be appropriate use your own authentication method and give users the option to create a nickname and upload an avatar, independent from those networks.
Moreover, we realize that these social networks may be very popular. However, the popularity of the social network is not an appropriate reason to force a user who has not, or chose not to register and provide their personal information to those services, before they can use your app.
Therefore, we ask that you to include your own authentication mechanism to allow the user the option to register only with you, creating an account with only the information needed and relevant to your app's features.
Best regards,
App Store Review
So in short, you have to provide custom authentication and not just use Facebook. Although I've seen many Apps who do require you to login with Facebook.
Thanks,
James
It happened same for me, although the first version was approved, the second version was rejected for this reason, I added the Skip button at the landing view.
It's all summarized in the last paragraph. Apparently, your application doesn't inform the user (in a clear way) that registering is for syncing and from their reply, it seems that your application is useless without the Sign Up.
If that's the case, you should be more specific why you need the user to register.
On a side note, I personally don't like the applications/websites that force you to register before you see or try anything. I hope your application isn't the same.
I'm sorting through the various Apple docs, but haven't seen it yet.
Here's the deal: I've created a series of apps that are for a service for NPOs. These are hugely popular (albeit in a very small pond), and I have been asked to make customized versions for some of these organizations.
It's a FOSS app, but these outfits can't get iOS programmers to build and release the apps. They are willing to set up App Store accounts, but don't have the geeks on hand.
Due to the way the organization manages its IP, I am not allowed to release branded apps under my app store account. They need to release under theirs.
I don't want to set up an enterprise account for this. I haven't read up on that, but I'll bet that it would not be practical, anyway.
Is there a reasonable way for folks to take apps built on one account, and apply a new provisioning profile, and release it via another account?
Yes a company can take any developer app, sign it with their own certificates, and submit it using their own iOS enrolled team leader ADC account. They can even hire a contractor or temporary employee and legally authorize them to do this work for them.
If you do this type of subcontracting, you might want to get authorization in writing from the CEO, COO or chief legal consul of the company to do so.
you can use a different provisioning profile and deliver the app to the other guys. You can have multiple profiles in your X-Code and select with which one you want to sign the app when you create the archive.
You can either do this yourself by getting access to your client's app store signing certificates, or you can get your clients to use their codesign tool - details on the latter technique can be found on google - here is one example.
Enterprise accounts don't let you release on the App Store.
A typical way of handling this is for them to set up an account and give you the details for the team agent to log in. You then generate a key pair and a certificate signing request in Keychain Access. You log in as the team agent and use the certificate signing request to get a distribution certificate, which you then download and open - this will install into the keychain. Export the key pair and supply this to them so that they aren't screwed if you get hit by a bus or something.
From that point on, it's all stuff you should be used to. Xcode knows which private key to sign the build with because it matches the provisioning profile. It knows which provisioning profile to use because the app ID in the profile matches the app ID in the Info.plist file. Beta testing with ad hoc builds is the same as normal, except you register the UDIDs after logging into their account, not yours. Archives are not tied to your account.
When you submit the app through Xcode, you'll have to supply the team agent login details again. The submission will show up under their developer account, not yours.
Technically speaking, I think it breaks their developer agreement with Apple for them to supply a third-party (you) with their login details. However I don't believe it's possible to delegate all of the privileges necessary to submit an app to anybody other than the team agent, and the parts that can't be delegated aren't easy to explain to a non-technical person. You can script some of it to make it easier, but it's easy for them to get into a mess, so it's usually best if they let you handle it all.
The company I work for has outsourced development of an iPhone app to another company. They want the binary to be signed with our certificate for distribution, but they've asked me to pass the private key (certificates.p12) used to create our certificate on to the other company. I am extremely concerned about handing the ability to sign applications as us over to another company.
How can I convince my boss this is a really bad idea? What alternative solutions can I suggest to him? I have already asked him to get the source from them so we can sign and submit it ourselves, but without the ability to conclusively state that giving them the certificate is a bad idea, I'm kinda stuck in the "just look into it for me" limbo.
You don't need the source. You just need the compiled binary (make sure it's ARM, not x86) to sign with codesign.
The outsource company can just build and sign the app with their own certificate. You can then resign the app with your company's certificate before submission (use codesign).
There's not too much a consultant can do with the private key to just an App store Distribution certificate but without the team agent's iTunes Connect login credentials, as Apple's review team are the only ones who can run an app signed with your Distribution certificate, and you can't submit an app to iTunes Connect without the login matching the certificate (AFAIK).
I am finishing an app for my client.
He wants to submit it to Apple himself.
What must I do ?
Should I give him the app unsigned ?
Should I ask him a provisioning profile ?
Should I be added to his team and to his Distribution Profile ?
Thanks a lot for your help ?
Thierry
Have your client sign up for the iPhone Developer Program so that way when your client submits the app to the App Store it will be under the client's company name. You can still manage all the code signing and provisioning for your client if they do not know how to do this stuff. The client can simply give u access to their developer account to handle all that stuff.
I would just give him the source code, unless you specifically don't want to do that for some reason. That way, he can just compile it himself.
What I've done for clients who want to submit to Apple themselves:
The client must create (or you can create for them if they give you their login info) the app store distribution profile for the app and send it to you. Requires some communication between you and client to make sure they use the right app id, etc.
(I think you may need the client's developer certificate as well in order for them to "own" the app -- not 100% sure about this)
Don't forget to also get the private key file as the certificate signing won't work without it
I set the client cert / app store dist profile into the app and build the app for app store.
Deliver the binary to the client.
Client uploads to itunes connect.