Amazon.co.uk Widgets
Open Source illustration from https://undraw.co

Note This article was originally published on my LinkedIn.

I would like to think that I know a little about Apple App review, having had many meetings with Apple both by phone and in person – about various apps and always with successful outcomes. I see Twitter has 'Hancock blames Apple' covered, so I originally put forward that I doubt a major corporation will quietly allow a government to blame them for a public health policy failure.

Indeed, Apple did not stay quiet (I am adding this response a couple of days after writing that I doubted they would remain silent).

TL:DR: Absolutely the worst approach to take with Apple is to bring them into an argument in front of the press. It never goes well. In the end these are Apple manufactured devices, it is Apple's App Store and if they do not want you in their world, they will show you the door!

Apple said:
"It is difficult to understand what these claims are as they haven't spoken to us."

Mr Hancock said.

"We've agreed to join forces with Google and Apple, to bring the best bits of both systems together,"

Apple said:

"We don't know what they mean by this hybrid model. They haven't spoken to us about it."

Apple told the BBC it had nothing further to add. It is pretty clear to me what they mean. This hybrid model is already dead because of privacy concerns and would not be eligible to use the COVID-19 API on Apple devices!

It would likely not pass App Review plus any extra requirements Apple have.

Stand by for another three months of delay while the penny drops.

It is important to note that there are Apple Review Guidelines - which must be followed for an app to be considered for publication in the App Store, even if you are producing a government mandated App. They are not ‘optional’. They cover the Safety (of App users), Performance, Business, Design and Legal issues in detail.

This is Apples Press release about their partnering with Google on COVID-19 contact tracing technology, linking to the technology specifications. This has been public for months. Through this link you can find the Privacy-Preserving Contact Tracing specifications for Bluetooth, Cryptography, The Framework API and an FAQ. (For some good quality bedtime reading of course).

This FAQ states: (Point 10) "Apps will receive approval based on a specific set of criteria designed to ensure they are only administered in conjunction with public health authorities, meet our privacy requirements, and protect user data.”

This underlines that Apple and Google view this level of access so invasive, that there needs to be an additional agreement in order for such an app to be approved for the App Store. Apple always requires the legal role holder in the primary organisation (i.e. the government) to agree such terms.

On these grounds, I would like to know the answer to both ‘Who has this Role” and “What agreements are in place and what was the date of these agreements.” The answers to these questions will undoubtedly inform us as to whether this is quote unquote “Apples fault” or not.

Mobile app development teams are well versed in the App review process and accompanying guidelines. These topics are fundamental for successfully publishing an app in the App Store, and therefore it is impossible not to be aware of the risks of non-compliance. These are not trivial suggestions, but rules that must be followed.

There are numerous instances of people trying to 'game the system’ and avoid full compliance. For every release, of every app, Apple conducts an App Review, a process where a human with undisclosed technology, reviews an app’s functionality and content. The bar for this review process is high, and issues that can seem small to developers, frequently cause rejection notices.

Even for small issues, the result of a rejection is that the App will not be published in the App Store. For example, HEY (from Basecamp's @dhh on Twitter) recently went to the App Review Board and was rejected for 'Business, Payments' Guideline 3.1.1 - In-App Purchase, 3.1.3(a) - "Reader" Apps and 3.1.3(b) - Multiplatform Services. Until it is brought into compliance it will not be published.

Another is example is Facebooks enterprise certificate revocation by Apple last year which actually stopped their own internal apps working. These apps stopped working because, some apps made available generally to the public outside of the App Store, allegedly misused an enterprise certificate, in violation of the Apple Developer Program agreement, which mandated that such certificates be used for internal apps that the public cannot download. This would be considered gaming the system so Apple revoked the certificate and the apps would not longer launch.

The most severe consequence of non-compliance is to be thrown out of the Apple Developer Program altogether. This can be for many reasons, such as: fraudulent reviews, passing off, deception and the like covered in Section 3.2(f) of the License Agreement (which the legal role holder earlier had to confirm they read and sign and agree).

Apps often fail review. Developers can misunderstand the guidelines. Apps can be uploaded with errors or incomplete data. The guidelines can change, although this does not occur often, but typically yearly at WWDC (Apple’s tech conference, which is interestingly next week). Apple understands that these sorts of mistakes and misunderstandings will happen.

Generally, Apple will say exactly why an app has failed review, and what steps need to be taken to bring it in to compliance, so that the app can be resubmitted. These steps can be as simple as ‘Don't talk about competitor phones on screenshots or text for the App Store’.

The steps can also be much more difficult, such as 'You need to support the new iPhone XYZ device’, ‘you need to support a particular version of the Apple development tools’ or ‘ you must provide Apple review with a login to test all the corners of the app’ (and they will test all the corners!) Sometimes, developers will have to do a new release and completely resubmit their app.

Very rarely, a resubmission will fail app review for a second time. Following a second failure, an appeal will have to be submitted online to the App Review Board, an enormous escalation inside Apple. I have done this multiple times, and ultimately found it to be a straightforward process with, for me personally, a 100% success rate.

Dealing with the issue requires professionalism and courtesy. You simply have to determine where the app is out of compliance and take steps to remediate it. It is perfectly acceptable to argue you are not in breach and explain why, or to ask for clarification for your non-compliance. Both approaches can be successful. There is no point at all however in trying to get Apple to change their rules or make an exception for your important app because of some business deadline you have since the rules are applied world-wide and for all developers and follow a process based on strategy.

Apple so far, have always made pragmatic suggestions to help, but in the end Apple requires compliance. Existing published apps will usually remain in place, but an inability to update apps is a slow death sentence as they will eventually fail on new devices.