Static Analysis Rejection?

Posted on November 7, 2009

Mobile Orchard pointed to a post by Joe Hewitt (developer of the Facebook iPhone app) where he mentions that Apple may be using a static analyzer to help review app submissions. If that’s the case, it might explain our recent rejections. Here’s the boilerplate response that we’ve (unfortunately) come to expect each time we submit an app. This is from a recent rejection:

Thank you for submitting 3D Camera & 3D Camera Lite to the App Store.  Unfortunately it cannot be added to the App Store because it is modifying or extending an undocumented API, which as outlined in the iPhone Developer Program License Agreement section 3.3.1 is prohibited:

“3.3.1 Applications may only use Documented APIs in the manner prescribed by Apple and must not use or call any private APIs.”

There is no documentation for the custom subclasses or self-contained views of UIImagePickerController in iPhone OS 3.0.1.  This includes PLCameraView and its custom subclasses (PLImageTile, PLRotationView, PLImageScroller, PLImageView, PLCropOverlay, PLCropLCDLayer, TPBottomDualButtonBar, TPPushButton and TPCameraPushButton).

Additional Camera APIs are now available in iPhone OS 3.1.  Please review these new APIs to see if they meet your needs.  If any additional APIs are desired, please file an enhancement request via the Bug Reporter, <http://bugreport.apple.com>.

While we haven’t announced anything on our site yet, we’ve been waiting for Apple to review a brand new Juicy Bits app that also happens to use the camera, and guess what? It was rejected for exactly the same reason (same text, except for the app name).

Funny thing is, neither 3D Camera, 3D Camera Lite, nor the yet-to-be-approved app use any undocumented APIs at all! As a matter of fact, all three apps have been built using 3.1.x SDKs, and they all use the new official camera APIs to implement their overlays. For astute readers, yes, this is exactly what Apple recommends that we do in the last paragraph of their rejection e-mail!

The nuance is that while we’ve compiled these apps using 3.1.x SDKs, we’ve set the minimum iPhone OS Deployment Target to 3.0 so that the apps will run on older devices (read the section titled Specifying the Runtime Environment in Apple’s Running Applications documentation for a good explanation). We still have a lot of users running 3.0.x devices, and we want to make sure they can upgrade and use our apps.

In the code, we check to see if the app is running on a 3.1.x device before calling any of the new 3.1.x APIs (like the camera overlay). If the app is running on an older 3.0.x device, we don’t use the new APIs and the standard built-in camera controls are used. This is exactly what Apple’s documentation says we should do.

For 3D Camera and 3D Camera Lite, Apple asked that we set the minimum OS to 3.1 and re-submit. Presumably, this is because the reviewer saw the camera overlay and also noticed that the app would run on a 3.0.x device. Our guess is that the reviewer never tried the apps on a 3.0.x device to see that the camera overlay feature is disabled. Because so many of our users are still running a 3.0.x device, we chose to ignore this advice and instead tried to explain the situation to Apple. After a very slow and non-interactive e-mail exchange, 3D Camera and 3D Camera Lite were both approved.

So, we weren’t surprised when our yet-to-be-approved app was rejected for the same reason, since it uses identical camera overlay code and logic and runs on 3.0.x devices. Thus begins the very slow e-mail “conversation” to re-explain the same situation all over again. It’s frustrating, because we’re doing exactly what Apple wants us to do, yet we’re paying for it with very long delays.

We’re now wondering if the static analysis tool sees the 3.1.x API call in our app, notices that it runs on 3.0.x devices (that don’t support the new APIs), and flags or rejects it as a result. This would actually make sense! The only problem is that the tool appears to be ignoring the code where we check the device version before making that call, and that may be the nuance that’s causing all of our delays.

Of course, we’re only speculating about the static analysis rejection, because we don’t know how Apple reviews apps for the App Store. Like others, we try to reverse engineer the black box that is the approval process, and also like others, we wait.

6 Responses to “Static Analysis Rejection?”

  1. Brent Royal-Gordon
    Nov 07, 2009

    You may be able to use that “Demo Account” field on iTunes Connect for this kind of thing. If your app keeps running into the same issues, you may find that describing how you address them in that field will get you through the gauntlet. For example, one of my apps has been rejected for using encryption without having gone through export controls, but pointing out that I’m using the pre-approved ones in libSystem gets me through.


  2. admin
    Nov 07, 2009

    Thanks for the tip, Brent. When we re-submitted our latest app, we added an explanation to the “Demo Account” field. Glad to hear it works for you. There’s hope!


  3. [...] key thing about Juicy Bits experience is that both apps eventually got accepted, which strongly supports their interpretation of why they were REALLY [...]


  4. [...] automated process is already creating stories of apps being rejected for use of private APIs which developers are [...]


  5. developer
    Nov 20, 2009

    We basically did the same thing as you, calling the new api’s only for 3.1 and using older compatibility stuff for 3.0. Even after talking to apple over the phone about what we were doing they still made us only support 3.1 and pull all of our older code out before approval. Of course it doesn’t make a lot of sense since the old 3.0 builds will always work since apple doesn’t modify 3.0 builds anymore. So it really only hurts the users that don’t want to upgrade. It is nice that users can leave scathing reviews because it won’t work with 3.0 anymore even though it is not our choice to stop supporting those users but apple’s. But I guess that’s what we must deal with to sell in the app store.

    I wish apple would use there own public api for developing all of their apps on the phone. It would basically solve all the problems we encounter. The public api has a lot of bugs that wouldn’t exist if apple used it to develop their own apps.


  6. [...] not sure where to begin, so we’ll pick up the story from our last post: Static Analysis Rejection? That post has been referenced in a number of other articles about App Store rejections by [...]



Leave a Reply


PHVsPjxsaT48c3Ryb25nPndvb19hZGRibG9nPC9zdHJvbmc+IC0gdHJ1ZTwvbGk+PGxpPjxzdHJvbmc+d29vX2Fkc19yb3RhdGU8L3N0cm9uZz4gLSB0cnVlPC9saT48bGk+PHN0cm9uZz53b29fYWRfaW1hZ2VfMTwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9hZHMvd29vdGhlbWVzLTEyNXgxMjUtMS5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF9pbWFnZV8yPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tL2Fkcy93b290aGVtZXMtMTI1eDEyNS0yLmdpZjwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2ltYWdlXzM8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vYWRzL3dvb3RoZW1lcy0xMjV4MTI1LTMuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfaW1hZ2VfNDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9hZHMvd29vdGhlbWVzLTEyNXgxMjUtNC5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF91cmxfMTwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3VybF8yPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tPC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzM8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb208L2xpPjxsaT48c3Ryb25nPndvb19hZF91cmxfNDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FsdF9zdHlsZXNoZWV0PC9zdHJvbmc+IC0gZGFya2dyZWVuLmNzczwvbGk+PGxpPjxzdHJvbmc+d29vX2F1dG9faW1nPC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb19ibG9nY2F0PC9zdHJvbmc+IC0gL2NhdGVnb3J5L2Jsb2cvPC9saT48bGk+PHN0cm9uZz53b29fYmxvZ19jYXRfaWQ8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19jYXRtZW51PC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb19jdXN0b21fY3NzPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fY3VzdG9tX2Zhdmljb248L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19leF9mZWF0cGFnZXM8L3N0cm9uZz4gLSB0cnVlPC9saT48bGk+PHN0cm9uZz53b29fZmVhdGhlaWdodDwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2ZlYXRwYWdlczwvc3Ryb25nPiAtIDUzNiw0NjYsNiw5NTwvbGk+PGxpPjxzdHJvbmc+d29vX2ZlZWRidXJuZXJfdXJsPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fZ29vZ2xlX2FuYWx5dGljczwvc3Ryb25nPiAtIDxzY3JpcHQgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiPg0KdmFyIGdhSnNIb3N0ID0gKChcImh0dHBzOlwiID09IGRvY3VtZW50LmxvY2F0aW9uLnByb3RvY29sKSA/IFwiaHR0cHM6Ly9zc2wuXCIgOiBcImh0dHA6Ly93d3cuXCIpOw0KZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoXCIlM0NzY3JpcHQgc3JjPVwnXCIgKyBnYUpzSG9zdCArIFwiZ29vZ2xlLWFuYWx5dGljcy5jb20vZ2EuanNcJyB0eXBlPVwndGV4dC9qYXZhc2NyaXB0XCclM0UlM0Mvc2NyaXB0JTNFXCIpKTsNCjwvc2NyaXB0Pg0KPHNjcmlwdCB0eXBlPVwidGV4dC9qYXZhc2NyaXB0XCI+DQp0cnkgew0KdmFyIHBhZ2VUcmFja2VyID0gX2dhdC5fZ2V0VHJhY2tlcihcIlVBLTg5MTI0ODctMVwiKTsNCnBhZ2VUcmFja2VyLl90cmFja1BhZ2V2aWV3KCk7DQp9IGNhdGNoKGVycikge308L3NjcmlwdD48L2xpPjxsaT48c3Ryb25nPndvb19ncmF2YXRhcjwvc3Ryb25nPiAtIHRydWU8L2xpPjxsaT48c3Ryb25nPndvb19pbWFnZV9oZWlnaHQ8L3N0cm9uZz4gLSAyNTA8L2xpPjxsaT48c3Ryb25nPndvb19pbWFnZV93aWR0aDwvc3Ryb25nPiAtIDM5MDwvbGk+PGxpPjxzdHJvbmc+d29vX2ludHJvPC9zdHJvbmc+IC0gV29uZGVyaW5nIHdoZXJlIHRvIGdldCBmcmVlIDNEIGFuYWdseXBoIGdsYXNzZXM/IENoZWNrIG91dCB0aGUgPGEgaHJlZj1cImh0dHA6Ly93d3cuanVpY3liaXRzc29mdHdhcmUuY29tL2ZhcS9cIj4zRCBDYW1lcmEgRkFRPC9hPi48L2xpPjxsaT48c3Ryb25nPndvb19sb2dvPC9zdHJvbmc+IC0gaHR0cDovL3d3dy5qdWljeWJpdHNzb2Z0d2FyZS5jb20vaW1hZ2VzL2p1aWN5LWJpdHMtaGVhZGVyLWxvZ28td2l0aC1zdWJoZWFkLnBuZzwvbGk+PGxpPjxzdHJvbmc+d29vX21hbnVhbDwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS90aGVtZS1kb2N1bWVudGF0aW9uL292ZXItZWFzeS88L2xpPjxsaT48c3Ryb25nPndvb19tZW51cGFnZXM8L3N0cm9uZz4gLSA2LDk1LDEwMSwxMjIsNDY2LDUyODwvbGk+PGxpPjxzdHJvbmc+d29vX3Jlc2l6ZTwvc3Ryb25nPiAtIHRydWU8L2xpPjxsaT48c3Ryb25nPndvb19zaG9ydG5hbWU8L3N0cm9uZz4gLSB3b288L2xpPjxsaT48c3Ryb25nPndvb190aGVtZW5hbWU8L3N0cm9uZz4gLSBPdmVyIEVhc3k8L2xpPjxsaT48c3Ryb25nPndvb190aGVfY29udGVudDwvc3Ryb25nPiAtIHRydWU8L2xpPjwvdWw+