The App Store checks for hidden functionality.

  1. ‹ Older
  2. 7 weeks ago

    Tim S

    Dec 4 Canterbury, UK

    @ChristianSchmitz Well, a weather app should only be allowed to talk to the server from the weather provider.

    And not talk to 10 third party companies tracking me.

    Isn't that supposed to be fixable for all apps on your machine by using a hosts file?

    Hello? hello? Anyone there?

    NO CARRIER

  3. Tim J

    Dec 4 Pre-Release Testers, Xojo Pro Dehydrating in AZ

    @Tim S Isn't that supposed to be fixable for all apps on your machine by using a hosts file?

    That would require proper system administration knowledge - something that Apple and Microsoft are getting sneakier and sneakier about removing from the system owner's scope of access.

  4. Douglas H

    Dec 4 Pre-Release Testers, Xojo Pro

    @Tim J That would require proper system administration knowledge - something that Apple and Microsoft are getting sneakier and sneakier about removing from the system owner's scope of access.

    And much more practical for macOS or other LAN usage than iOS via carrier access.

  5. 5 weeks ago

    Sam R

    Dec 15 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    Okay, so the poor fellow who's had his app rejected for this reason, finally got a resolution from Apple; and an explanation.

    His application was written in Objective-C, and has a lot of custom classes. Apple were reading his selectors (method names) and decided that they didn't like them.

    As we can build custom Obj-C classes in Xojo (via declares or plugins), and custom sub classes of OS supplied classes. This is something to pay attention to if you get the same rejection.

  6. Dave S

    Dec 15 San Diego, California USA

    @Sam R . Apple were reading his selectors (method names) and decided that they didn't like them.

    They decided they didn't like the NAME of the class/function... .Not that they didn't like what it did or did not DO?

    Why (curious/rhetorical) would they care what the developer used as an internal reference, and what on earth might those undesireable names have been?

  7. Beatrix W

    Dec 15 Pre-Release Testers Europe (Germany)

    Here is the relevant part of the tweet:

    An artifact of my AS3-ObjC transpiling is methods with somewhat bizarre (though perfectly valid) signatures, like "+ new::::::::::::" upon which their code-check choked.

  8. Christian S

    Dec 15 Pre-Release Testers, Xojo Pro, XDC Speakers Germany

    We've run into this with private API usage, too.

    Which sometimes ended up hiding the call a bit by building the selector from two strings at runtime...

  9. Emile S

    Dec 16 Europe (France, Strasbourg)

    I had customers who disliked the people’s names I used (they do not provided yet at this time with real contact infos) just because I used politician, names of movie/music stars, etc.

    In the next beta, I used a different approach like Michael G (G for Gotbatchov) and they saw nothing / did not react.

    Yes, I asked them tons of times to send me their contact data so I can implement them in their software. And, all of a sudden, they send it to me (and what a bad list it was)…

    So: perception vs real use. I never let Listbox1 as a reference in a project, I try to use a meaningful method / function / whatever name, never double meaning word (when I know the used word have two different meanings), etc.

    At last, what Notarization is for ?
    (that ?)

  10. Tim J

    Dec 16 Pre-Release Testers, Xojo Pro Dehydrating in AZ

    I also had one of my apps rejected because it turns out that I had mistakenly named one of my methods by the same name as an Apple private API. In that, I also learned than simply changing it by adding TG to the beginning or end of the method name did not clear the automated check. I had to completely obfuscate every call in the project to that method.

  11. Derk J

    Dec 16 Pre-Release Testers, Xojo Pro

    @Tim J I also had one of my apps rejected because it turns out that I had mistakenly named one of my methods by the same name as an Apple private API. In that, I also learned than simply changing it by adding TG to the beginning or end of the method name did not clear the automated check. I had to completely obfuscate every call in the project to that method.

    Apple wan't it's apps, and software to be clear with method names and such because they can simply filter crash reports and maybe other stuff to target specific items in logs.

  12. Tim J

    Dec 16 Pre-Release Testers, Xojo Pro Dehydrating in AZ

    In my case, it was a collision with a private API name. My app wasn't denied because of any name, but because their automation claimed that I was calling a private API.

  13. scott b

    Dec 16 Pre-Release Testers, Xojo Pro local coffee shop

    @Tim J In my case, it was a collision with a private API name. My app wasn't denied because of any name, but because their automation claimed that I was calling a private API.

    is their private API names defined anywhere? or just a submit and hope for the best?

  14. Tim J

    Dec 16 Pre-Release Testers, Xojo Pro Dehydrating in AZ

    @scott b is their private API names defined anywhere? or just a submit and hope for the best?

    I don't know of a list and think you just have to be unlucky. In my case, I was just unlucky. IIRC, I used a pair of extensions to the Window class that I named SmoothResizeVertical and SmoothResizeHorizontal and one or both of those matched a private API call.

  15. Sam R

    Dec 17 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    @Dave S Why (curious/rhetorical) would they care what the developer used as an internal reference, and what on earth might those undesireable names have been?

    For your security, to make you safer. Apple is protecting the user from malevolent developers.

    @Emile S So: perception vs real use. I never let Listbox1 as a reference in a project, I try to use a meaningful method / function / whatever name, never double meaning word (when I know the used word have two different meanings), etc.

    I once had a function called "youFu##ingPieceOfS##t", which was fine, until an exception occurred in that function and I get sent e-mail reports...

    @Emile S At last, what Notarization is for ?

    Basically it's to put our apps through the same excruciating validation checks as the App Store apps, but we can sell them on our own.

    @scott b is their private API names defined anywhere? or just a submit and hope for the best?

    It would be nice for Apple to properly document it's public API...

    You can turn off function names, so then your custom function names won't trip up Apple's security, however any exceptions won't be able to report the function they were raised from.

  16. Dave S

    Dec 17 San Diego, California USA

    @Sam R For your security, to make you safer. Apple is protecting the user from malevolent developers.

    Still doesn't make sense... How would this either protect the end-user, or be of "benefit" to a nefarious developer?
    If my code said "Call gotoHeck" (or whatever label/selector that Apple doesn't like) "so what"... a label/selector is simply text that exists in the code to provide an addressable point of execution. I can see if that was a label/selector that somehow refered to a private/protected Apple API location, but that is not what this seems to be about.

    A label/selector should be any combination of characters that meet the pre-defined criteria (must start with a letter, no spaces etc etc) and doesn't duplicate specifed (or in this case unspecified) reserved words or phases.

    As you pointed out... "youFu##ingPieceOfS##t", was "legal" just not socially acceptable

    I have a tendency to put

    // S##T

    in apps to remind me to alter things I may have hard-coded for testing purposes..
    So my code is "good to go" when all the "S##T" is removed :)

  17. Sam R

    Dec 17 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    @Dave S Still doesn't make sense... How would this either protect the end-user, or be of "benefit" to a nefarious developer?

    My guess is because it's quicker and easier to read the function symbols than to decompile the application and analyze it's behavior.

    In all honesty, I feel it's more for the theater of security than actual security; but I can be wrong.

    It doesn't change the fact that this screening is at the very least part of the App Store submission process, and I suspect it's part of the Notarization process also. I wonder how many actual issues it's flagged v.s. how many innocent developers it's wasted their time.

  18. Tim J

    Dec 18 Pre-Release Testers, Xojo Pro Dehydrating in AZ

    @Sam R In all honesty, I feel it's more for the theater of security than actual security; but I can be wrong.

    And THAT "show" seems to be Apple's focus for the last few years.

    When a Solaris, HP-UX, or A/IX system can be locked down to the point of passing Banking, Sarbanes-Oxley, and HIPAA regulations and security requirements with "simple" Unix owner, group, and permissions settings and ACLs, why do these other OS vendors feel the need to one-up each other while still failing to maintain basic security and making it harder to develop for and use the systems?

  19. Dave S

    Dec 18 San Diego, California USA

    @Tim J When a Solaris, HP-UX, or A/IX system can be locked down to the point of passing Banking, Sarbanes-Oxley, and HIPAA regulations

    While I never had to deal with "Banking", I dealt with the other two for years.... And on A/IX systems even. But there were still things that applications had to deal with internally to pass these audits....

  20. Emile S

    Dec 18 Europe (France, Strasbourg)

    @Tim J SmoothResizeVertical and SmoothResizeHorizontal

    It may be time to modify the way our Functions / Methods get names. Something like:

    Smooth_Resize_Vertical[/code] and [code]Smooth_Resize_Horizontal

    or more personnal, for Tim:

    TJ_Smooth_Resize_Vertical and TJ_Smooth_Resize_Horizontal.

    Useful for searches: use the TJ_ prefix and you get your own list…

    If your complete initials are EARS, skip the idea or remove (the) two (mid) letters ;-:)

  21. Tim J

    Dec 18 Pre-Release Testers, Xojo Pro Dehydrating in AZ

    @Dave S But there were still things that applications had to deal with internally to pass these audits....

    And that has always been the case. The point being - as long as the app wasn't doing something stupid, the OS' existing security layers served the security requirements very well.

    @Emile S TJ_Smooth_Resize_Vertical and TJ_Smooth_Resize_Horizontal.

    I did add TG_ and _TG and both were still flagged. I actually had to get much more obfuscated and removed the word "Smooth" altogether.

or Sign Up to reply!