AISecurius iOS Hardening : How to help apps get listed on the Apple App Store

Currently, the global economy is shifting towards a stage of high-quality development, based on the leading foundation brought by the rapid development of new-generation information technology and the new demands created by innovation-driven and high-quality supply. This lays the foundation for embracing the digital era. As an important product of the digital economy, mobile applications, or "Apps" for short, have shown fast development and far-reaching impact. For enterprises, Apps are currently reshaping the operational mode of many businesses. Data shows that by 2022, the annual download volume of mobile applications will reach 258 billion times. Therefore, enterprises need to continue to promote innovation and development of mobile applications to meet the ever-changing customer demands.



Being rejected by iOS 4.3 is an inevitable "destiny"

"We have never submitted any similar duplicate apps, why does 4.3 consider ours to be a junk app? Apple customer service has been evasive, saying that our app is similar to others. After discussion, the Apple official suggested that we abandon the app, and even if we resubmit it, it will be rejected again, their attitude is very firm." complained an iOS developer.

ios 4.3.jpg

According to a set of data disclosed by Apple, in 2020, the App Review team assisted over 180,000 new developers in publishing apps. Among them, nearly one million new apps with problems and nearly one million updated versions of apps were rejected or removed from the App Store for a series of similar issues, including: • Over 48,000 apps were rejected for containing hidden or unrecorded functions; • Over 150,000 apps were rejected for containing junk information, plagiarism, or manipulating users to induce them to pay; • About 95,000 apps were removed from the App Store for violating regulations or even committing crimes by changing their operating methods through tampering after passing the app review; • Over 215,000 apps were rejected for requiring users to provide data beyond the scope or mishandling the collected data.

The data shows that from 2017 to 2019, Apple received an average of 5 million app submissions per year. Among them, 33% to 36% of the submitted apps were rejected by the Apple review team, with an average of 1.7 million rejections per year. In 2020, a total of 215,000 apps were rejected for violating privacy policies, accounting for 40% of the total number of app submissions in 2020.

Recently, the issue of being rejected by 4.3 has become popular again. The 4.3 rule is a regulation announced by the App Store for app review.

In summary, the App Store's 4.3 rule for app review stipulates that apps with duplicate functions or duplicate applications, as well as apps uploaded through duplicate or sub-packages, will be rejected.


To help iOS apps pass the review and be listed

AISecurius' business security engineers have found that the App Store review team focuses on factors such as hidden or unrecorded functions, junk information, plagiarism, and manipulating users to induce them to pay, as well as changing their operating methods through tampering after passing the app review and even committing crimes. These are the "red lines" for App Store review.

For example, in terms of code issues, submitting a project multiple times, with a code repetition rate of over 60%. Even if your code has been marked by Apple or has a relationship with other projects at the code level, there may be some hidden functions. In terms of metadata issues, if you purchase a domestic or foreign developer account that has been rejected, or if the metadata set in the ITC background has a high degree of similarity, such as title, description, keywords, technical support website, privacy statement, etc.

As we all know, the Apple review team generally has three steps in reviewing submitted apps:

The first step is pre-review, which scans for character omissions in the API and plist files. This is divided into two steps: the first step is the Application Loador application check for adapting icons when uploading, and the second step is the functional check by Apple after uploading, such as configuration of the Push function but with missing or unopened functions, which will prompt an email notification, and so on.

The second step is machine review, which scans payment SDKs and duplicate applications. The machine scan mainly looks at code blocks.

The third step is manual review, which mainly checks the functionality or app experience test, such as logging in with a test account to experience the app's functionality or other significant bugs, including IPv6 detection.

There are almost two situations for App Store review being rejected due to 4.3. One is App Store machine review, which mainly conducts machine review of the code to detect duplicate applications. This eliminates too many similar apps flooding the iOS market and affecting the overall quality of iOS applications. The other is App Store human review, which is mainly to verify the content and functionality of the app by Apple reviewers to prevent app bugs, app imitation, content repetition, and other issues that affect the user experience, resulting in the phenomenon of inferior coins driving out superior ones.

In the process of resolving the 4.3 issue in app review, users and the review team engage in intellectual battles that can take several months or even more than half a year. The solutions for machine review rejections and human review rejections are as follows:

  1. For machine review, the main method is to add code, and the similarity of the code should not be higher than 45%, so that it can pass machine review stably without being rejected.

  2. For human review, the main method is to modify the UI style and fill in more pages to improvethe user experience and functionality of the app. In addition, it is necessary to provide clear and concise descriptions of the app's features and functions in the metadata, to avoid any confusion or misunderstanding by the reviewers.

In conclusion, being rejected by iOS 4.3 is an inevitable "destiny" for app developers who do not comply with the strict regulations and policies of the App Store. To ensure that your app passes the review and gets listed in the App Store, it is important to pay attention to issues such as hidden or unrecorded functions, junk information, plagiarism, manipulating users to induce them to pay, and violating privacy policies. By following the guidelines and best practices provided by the App Store, app developers can ensure that their apps meet the highest standards of quality, security, and user experience, and avoid the risk of being rejected by iOS 4.3.

AISecurius, as a leading business security company in China, has launched the next generation of iOS application protection products based on virtual source code protection technology, targeting the iOS platform. This product can perform deep obfuscation and reinforcement on the code in iOS apps, dynamic libraries, and static libraries, and use AISecurius' proprietary virtual machine technology to encrypt and protect the code, preventing any hacker tools from directly reversing or cracking it. It also has perfect compatibility with the iOS environment, supporting Xcode development environments above 9.0 and iOS 9.0 to the latest version of the system.

After the iOS app is reinforced, the original code is obfuscated and reinforced, increasing the machine review pass rate. This in turn increases the chances of getting listed on the App Store and passing the App Store's 4.3 review rule, resulting in a well-reviewed app on the App Store.


Safeguarding iOS App Security

Currently, the growth rate of malicious applications on the iOS platform has exceeded that of the Android platform. iOS applications also face security issues such as reverse engineering, in-app purchase cracking, and second-time packaging and signing. However, AISecurius' iOS application protection can effectively prevent major security issues such as core code theft, program logic cracking, malicious code integration, and API interface exposure.

AISecurius' iOS application protection mainly has the following functions:

**Code virtualization: **Compiles the original code into dynamic DX-VM virtual machine instructions that run on the DX virtual machine, making it impossible to decompile back into readable source code.

**String encryption: **Encrypts the static constant strings defined in the code and decrypts them at runtime, preventing attackers from static analysis and guessing code logic using strings.

**Code obfuscation: **Splits, scrambles, hides, inserts flower instructions, and complicates the code logic of the original code without affecting the original logic.

**Anti-decompilation: **Effectively prevents attackers from decompiling binary code into pseudo-code using reverse analysis tools such as IDA's F5 function.

**Anti-debugging: **Provides runtime anti-debugging capabilities for the app, preventing attackers from dynamically analyzing the app's logic through debugging.

Anti-tampering: Prevents malicious tampering of code and resource files in the application, eliminating piracy or second-time packaging behavior such as advertising implantation.

In terms of deployment, AISecurius' iOS application protection has two deployment methods: localized deployment and SaaS deployment, which can meet the security needs of different users. Since there is no need to upload the source code, developers do not have to worry about code leakage issues. The flexible one-click reinforcement function is easy to operate and does not affect normal development and packaging processes. Even if there are code issues during App Store review, protection configurations can be flexibly adjusted according to needs, such as code obfuscation strength, code obfuscation ratio, and virtual machine protection strength, to meet code review requirements.

Copyright © 2024 AISECURIUS, Inc. All rights reserved
Hi! We are glad to have you here! Before you start visiting our Site, please note that for the best user experience, we use Cookies. By continuing to browse our Site, you consent to the collection, use, and storage of cookies on your device for us and our partners. You can revoke your consent any time in your device browsing settings. Click “Cookies Policy” to check how you can control them through your device.