I have read the secure coding guide provided by Apple. I am looking at developing a financial application. What are the best methods to authenticate the user? Are there any specific guidelines for finance applications (relating to security) given by Apple?
Just generic wisdom:
Don't store the password in plain text. Although the typical user can't access files inside of an iPhone, a jailbroken iPhone has full root access and will be able to peer inside the bundle, and can easily read a plain text file called "userPass.txt." Instead, use the iPhone's keychain to store logins and passwords.
As evidenced by PayPal's iOS security blunder that just happened, be sure to use a secure HTTPS connection when authenticating to a server. Someone packet sniffing on an open WiFi network is able to exploit the current iOS PayPal app and get credentials out of the air.
Related
DTMF call mechanism is my app.To access the app's feature first the user needs to sign in. If the user is new without any account created he can even sign up. The reasons to get rejected are the following.
11.13
We found that your app provides access to external mechanisms for
purchases or subscriptions to be used in the app, which is not in
compliance with the App Store Review Guidelines.
New user registration is not appropriate. Please see the attached
screenshot/s for more information.
To be in compliance with the App Store Review Guidelines, it would be
appropriate to remove the access to these mechanisms - including fully
qualified links to your site that could indirectly provide access to
these mechanisms, such as links to web pages for support, FAQ, product
or program details, etc.
On occasion, there may be apps on the App Store that don't appear to
be in compliance with the App Store Review Guidelines. We work hard to
ensure that the apps on the App Store are in compliance and we try to
identify any apps currently on the App Store that may not be. It takes
time to identify these occurrences but another app being out of
compliance is not a reason for your app to be.
Please help me by giving a solution for this problem. It will be very helpful if I could get the exact reason for rejecting my app.
You are probably trying to sell something, that could be part of your app. For that you should use the IAP api, that means 30% to Apple. You should demonstrate to them that what you sell is not a part of your application or a subscription service.
The whole 11 chapter of Apple store guidelines is about purchasing.
You must be really sure that what you are selling cannot be "part" of your application or you need to use In App Purchase.
Can the user sign up within the app?
If not (if the user needs to open a site to sign app) that is the problem.
You should add a signup procedure inside the app.
We provide advertising capabilities to iPhone app customers, where they can advertise apps to millions of users on social network, and stand out among large number of apps in app store.
Now, to prove the ROI, we also want to provide statistics of how many users actually installed the app using our advertisements on social network.
My question is:
How do I verify whether user installed an app (when user clicks on advertisement and we take user to App Store (on mobile device) or itunes page (on PC/Mac) )
Is there a way to integrate with developer's interface to get this information?
Thanks in advance.
This is a broad question and there are some simple solutions which may require some work. Apple provides you no feedback for when an app is installed. Assuming you are storing the click of the ad on a server you will need to match to that click with something you send up when the app is opened for the first time.
(if the ad is shown in a native app on the phone) You can send up a unique key when the click happens and also send that same unique key when the app opens for the first time and match them on the server. This key can be a hashed mac address or something you save to the UIPasteboard. This requires integration on the side of your clients app because they will need to send a http request to you when the app launches.
If the social network is web based then your best bet is to match on IP address which isn't perfect but can give you a high percentage of accuracy.
I guess I'm assuming you are hosting the ads though. If you are not then you will have to rely on what the ad networks give you and many of them can provide some form of install tracking.
Well, you can always look at that persons phone and check if your app is present there :P
Just kidding.
You have some ways to get information such as these.
If you have registration in your app, you can monitor the userInfo, along with the UDID.
You can setup some webservice calls on applicationDidFinishLaunching for the first time events (using NSUserDefaults key to save the first time info) and use that.
Check out FLURRY for data analytics in your app. This is an awesome service, and allows you to track your users and how they interact with your app. I would recommend this !
Most ad networks have conversion tracking capabilities, but once you click an ad from the web and go to iTunes, all hope is lost tracking a conversion.
I guess you'd be able to track a conversion if you require the user to provide information (like an email address) before directing them to the appstore then requiring them to input that same email once the app is opened.
The following URL https://developers.geoloqi.com/account/applications/new
asks
Name,Description,image,Redirect URI etc.
P12 Certificate,P12 Password ,APNS Mode.
Can anyone explain why should we give Name,Description,image etc?
What p12 certificate,-12 Password,APNS Mode I have to give?
The name, description and image are used internally so we know what apps are using the API. They will also be used to potentially feature apps on a "gallery" page of apps using our API.
The redirect URI is only needed if you are making an app that will be used by users of our Geoloqi app, where the users will need to use OAuth to authorize your application to their account.
The P12 certificate and password are needed if you are making an iPhone app and wish to use Geoloqi to send push notifications through your app.
I'm developing an iPhone app that will need a login system in order for users to post content to a server. I'd really like to use facebook connect for this as it's a very community driven app. Is it possible for me to securely authenticate with the web server without the user having to create a username and password specifically for my app?
One idea I've had is using my app's FBConnect secret key as a password for an HTTPS connection? The app would be able to tell if a user is logged in, and only connect to the server if so. This would also stop any other connections from hackers etc I assume?
Although not just restricted to Facebook, Janrain provide a great solution to login from various openid methods including facebook connect. I believe there is a free product for non-commercial use. There is a demo iPhone app on the app store to show you how it works etc.
http://www.janrain.com/products/engage
Why not just use the Facebook iOS SDK?
Simple question - can I put an app in Apple's AppStore which is only functional for those who have a username & password? This is for a client who wants to distribute their app only to a select number of people. The Enterprise license is not an option, and while ad-hoc distribution is, I'd prefer to go through the store.
As the material is semi-sensitive, I'd need to keep the description to a minimum (eg. this app is only for XYZ users, and requires a password), and screenshot to just a single screen of the login page.
Does anyone know of any apps in the store like this?
These apps are more readily rejected, but Apple doesn't explicitly disallow this. You will have to provide them a test login during the application approval process.