Does apple view the actual source code when approving apps?
Asked Answered
M

6

42

How exactly does apple approve apps? Is the actual source code viewed?

Mantinea answered 6/7, 2010 at 13:36 Comment(3)
More information on the approval process: images.pcworld.com//news/graphics/…Ganesha
That is funny, :D but unhelpful. So I should scrap my ideas and make a flashlight that crashes on launch? :PMantinea
I'm voting to close this question as off-topic because it is about publishing to an "app store" rather than programming. See Are developer-centric questions about application stores on topic?Bartholemy
C
60

While none of us have access to the internal review process (which appears to be continuously changing), there are a few things that can be said based on the responses that people have received.

First, Apple has no access to your source code, so they do not review that. You submit a binary as part of an application bundle, along with your other application resources.

They do, however, appear to scan your application's binary for certain symbols that indicate the use of private APIs. A number of applications started crashing after iPhone OS updates because they used these private APIs, so Apple has been cracking down on this.

There are plenty of applications on the store that have memory leaks or other performance issues. I know that I've submitted versions of my applications that had subtle leaks (since fixed) and had no problems with review. Therefore, it does not appear that they do any sort of performance testing or profiling.

The only place where a memory leak causes a problem doing review is when that memory leak gets so bad that the application crashes when the reviewer is testing it. If your application crashes at any point during the review process, it will be rejected.

Beyond that, they have a checklist of user interface elements that they check for proper usage of (no persistent selections on table view rows, etc.). If your application deviates significantly from the Human Interface Guidelines when using these standard UI elements, you may get rejected.

Apple is very careful about copyright, particularly with their own images and artwork, so you may run into trouble if you use copyrighted material improperly.

Most of the rejection reasons you will face are preventable by making your application stable and by following platform guidelines, but some are not. Certain classes of applications have been rejected due to their intended use, and again the classes of applications that are allowed on the store change on a regular basis. This can add frustration and uncertainty when dealing with the App Store, but the vast majority of application types will never run into problems (as can be seen in the diversity of applications currently available).

Challah answered 6/7, 2010 at 17:27 Comment(9)
This is wrong. Apple has access to your source code: When you submit the app, the API usage is analyzed on your machine by Apple's developer tools and send to Apple before the App is submitted.Trixie
@Trixie - No, they don't, and that's not what happens. You build a binary on your machine and send them just that binary. Binaries compiled from Objective-C can retain symbols within them for the methods that they call, so these can be dumped and scanned. Additionally, it is possible that Apple could run your binary within their own specially constructed frameworks and see when that binary calls out to things it shouldn't. Given the reports of false positives by people with methods that happened to match Apple's private ones, the symbol scanning approach is the most likely.Challah
@Trixie - At no point in this process does Apple take in your own source code, and API usage is not analyzed on your local machine. They have a helper now in Xcode that can send your binary off to be validated on Apple's servers, but they are not scanning your local code.Challah
You did not recognize the "analyzing API usage" before the submit?Trixie
@Trixie - Where do you see that? When I build and archive an application, it just does the normal compile / link / codesign cycle (optionally with my local use of the Clang static analyzer to look for faults in my code, but none of that is communicated to Apple in any way), resulting in an archived, codesigned binary. What is then submitted to Apple is that finished binary. Last time I submitted a binary, it did server-side validation on it. Even if they moved some of this analysis locally, it's still just looking at your binary, not any source code.Challah
I saw it before upload in Xcode and/or Application Loader. This means it would be possible to check the source code since the check happens on my machine. But checking the application binary for API usage is easier for a machine so they don't want to check the source code.Trixie
HI MacMark, pretty sure you're just mistaken on this one. BL has explained the situation.Morty
Regarding Apple being careful about copyright. "And how." Here's an example... You know when you have "a photo" in any app or on the web, it's common to use an icon that looks like an old-days "Polaroid". You know, sort of a square with a rectangle along the bottom. In fact if you just happen to use that sort of photo-looking iconography in an app - it will be rejected since that IP belongs to Polaroid group worldwide!Morty
@Trixie I'm super late to the game here, but remember that you can view which symbols are imported by a binary without needing the source. This is most likely what Apple is scanning for.Psychokinesis
D
4

try to use otool -L binary yourself and you can see immediately if a private API framework got used...

Didst answered 4/2, 2011 at 9:56 Comment(0)
S
2

No, they only have access to the binary code that you send them.

They can run this through profilers checking for memory leaks and the like.

Stig answered 6/7, 2010 at 13:39 Comment(0)
M
2

They do not have access to your source; it is not part of what you send to them. They test the binary you send them for leaks and such. I think they also check what data your app sends out to make sure it isn't doing anything egregiously bad (sending passwords or the like).

Mccown answered 6/7, 2010 at 13:44 Comment(0)
R
2

Apple does not care about leaks and profiling information for your App. The Operating system is able to kill your app if that gets out of hand. What they actually do is manually run your App and check if it follows some of Apples guidelines. In an automated process they extract symbols, selectors and strings from your binary and check those for usage of private APIs.

You might want to try nm -u on your (simulator) binary.

Rushton answered 6/7, 2010 at 13:57 Comment(0)
F
1

They only receive your binray file of ipa only. They can get some of your resource file while extract ipa. They can able to find what all urls you used in web service or url request. Nothing else other than this.

Falcate answered 15/10, 2015 at 11:19 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.