Friday, June 28, 2024

Python Apps Rejected From App Store

Joe Brockmeier (via Hacker News):

The problem at hand is that Apple’s macOS App Store is automatically rejecting apps that contain the string “itms-services”. That is the URL scheme for apps that want to ask Apple’s iTunes Store to install another app. […] That string is in the urllib parser in Python’s standard library, though an application may never actually use the itms-services handler.


Of course, Apple did not do anything so straightforward as to explain this to Froemling.


One solution might be to obfuscate the offending string to pass review, but that might “lead to an obfuscation arms race” and there were no guarantees this would be the last time the project had to resolve app-validation problems.


It is frustrating that free-software projects like Python have to waste time finding ways around opaque review processes just so developers can write software for non-free platforms.

The first problem is that Apple is doing a dumb static analysis. If it can be thwarted by simple obfuscation then what good is it really doing? But, second, why is it even trying to detect this URL scheme upon submission when iOS could more easily and effectively block all the “dangerous” URLs at runtime?

Years ago, I ran into a similar problem with EagleFiler being rejected because it used PyObjC, which included some symbols for the deprecated Java VM.


4 Comments RSS · Twitter · Mastodon

Adam Maxwell

Back when the Mac was a general purpose UNIX computing platform, Apple included a Python runtime that applications could use (as mine did for over a decade), which is another way of avoiding this absurd problem.

Old Unix Geek

Frankly, if Apple keeps shitting on free-software projects, they should probably give up on supporting it. Haskell's also had a hell of a time with MacOS. Apple mostly takes (e.g. KDE's WebKit) when it can claim credit. Not a good partner.

And yes, Apple's "static analysis" really is a joke engineering wise. But most of their users just believe the hype, and they've been very good at hype.

> One solution might be to obfuscate the offending string to pass review, but that might “lead to an obfuscation arms race”
Eh. Apple’s static analysis is so rudimentary, and has been such for so long, I doubt it will ever be an “arms race”. People think App Store is so safe, but a lot of “bad usage" is so easy to hide. These days, a lot of the iOS security comes from protection at the kernel level (usually through entitlement requirement/validation or dumb bundle identifier checks), so there is more safety than a decade ago, but a lot of stuff is still accessible using hidden APIs. IIRC, it is still possible to get a list of installed apps on an iOS device, because the share sheet still runs in-process, and so, in order to load the share buttons, Apple iterates over apps and plugins in-process. I discovered this more than a decade ago while implementing

and if I am not mistaken, it is still possible to obtain the app/plugin list (and the framework still is still functional and accepted in the app store).

No, you don't understand, it's safe because it's sandboxed! /s

Leave a Comment