September 15, 2017
New guidelines for Face ID, ARKit, privacy policies and more.
With the imminent release of iOS 11 and the announcement of the iPhone X with Face ID it was only natural for Apple to update the App Store Review Guidelines. But this update is actually rather big and includes many changes that does not relate to the new products as such.
A few notable changes and additions that caught my mind:
- Don’t market your app with features or content it does not have (such as claimed “virus scanners”)
- You must support in-app purchases initiated from the App Store
- Facial recognition for authentication must be implemented using the official Apple API.
- Apps may facilitate peer-to-peer payments and are not required to use in-app purchases for such payments as long as no digital content or services are offered in exchange for rhe payment.
- “Apps using ARKit should provide rich and integrated augmented reality experiences; merely dropping a model into an AR view or replaying animation is not enough.”
- Section 4.7 changes some wording in the context of downloading and running 3rd party code from an app.
- The list of app types that must include a privacy policy has been extended to also include “apps that utilize ARKit, Camera APIs, Photo APIs, or other software for depth of facial mapping information”. So if your app falls into this category make sure you have the privacy policy in place and save yourself for a rejection.
- Data gathered from depth and/or facial mapping tools (e.g. ARKit, Camera APIs, or Photo APIs) may not be used for advertising or other use-based data mining
- Don’t visualize activity data in a way that resembles the Activity Rings in Activity control
- IAP renamed to in-app purchases everywhere (not all cases included in the diff below)
- Some typos were fixed (not all included in the diff below)
- Various other changes; Check the details below.
1.1 Objectionable Content
- 1.1.1 Defamatory , discriminatory, or mean-spirited content, including references or commentary about religion, race, sexual orientation, gender, national/ethnic origin, or other targeted groups, particularly if the app is likely to humiliate, intimidate, or place a targeted individual or group in harm’s way. Professional political satirists and humorists are generally exempt from this requirement.
2.3 Accurate Metadata
- 2.3.1 Don’t include any hidden or undocumented features in your app; your app’s functionality should be clear to end-users and App Review. Similarly, you should not market your app on the App Store or offline as including content or services that it does not actually offer (e.g. iOS-based virus and malware scanners). Egregious or repeated behavior is grounds for removal from the Developer Program. We work hard to make the App Store a trustworthy ecosystem and expect our app developers to follow suit; if you’re dishonest, we don’t want to do business with you.
- 2.3.2 If your app includes in-app purchases, make sure your app description, screenshots, and previews clearly indicate whether any featured items, levels, subscriptions, etc. require additional purchases. If you decide to promote in-app purchases on the App Store, ensure that the IAPin-app purchase Display Name, Screenshot and Description are writtenappropriate for a public audience and that your app properly handles the Purchase Intent APISKPaymentTransactionObserver method so that customers can seamlessly complete the purchase when your app launches.
- 2.3.3 Screenshots should show the app in use, and not merely the title art, log-in page, or splash screen. They may also include text and image overlays (e.g. to demonstrate input mechanisms, such as an animated touch point or Apple Pencil) and show extended functionality on device, such as Touch Bar.
2.5 Software Requirements
- 2.5.13 Apps using facial recognition for account authentication must use LocalAuthentication (and not ARKit or other facial recognition technology), and must use an alternate authentication method for users under 13 years old.
3.2 Other Business Model Issues
- 3.2.1 Acceptable
- (vii) Apps may enable individual users to give a monetary gift to another individual without using in-app purchase, provided that (a) the gift is a completely optional choice by the giver, and (b) 100% of the funds go to the receiver of the gift. However, a gift that is connected to or associated at any point in time with receiving digital content or services must use in-app purchase.
4.2 Minimum Functionality
- 4.2.1 Apps should use APIs and frameworks for their intended purposes and indicate that integration in their app description. For example, the HomeKit framework should provide home automation services; and HealthKit should be used for health and fitness purposes and integrate with the Health app. Apps using ARKit should provide rich and integrated augmented reality experiences; merely dropping a model into an AR view or replaying animation is not enough.
4.7 Third-Party Software HTML5 Games, Bots, etc.
Apps may contain or run code provided by third party developersthat is not embedded in the binary (e.g. HTML5-based games, bots, etc.), as long as the code distribution isn’t the main purpose of the app, the code is not offered in a store or store-like interface, and provided that the software (1) is free or purchased using in-app purchase; (2) only uses capabilities available in a standard WebKit view; your app must use WebKit and JavaScript Core to run third party software and should not attempt to extend or expose native platform APIs to third party software; (3) is offered by developers that have joined the Apple Developer Program and signed the Apple Developer Program License Agreement; and (4) adheres to the terms of these App Review Guidelines (e.g. does not include objectionable content; uses IAPin-app purchase to unlock features and functionality). You must provide an index of third party software and metadata available in your app upon request.
5. Legal
Apps must comply with all legal requirements in any location where you make them available (if you’re not sure, check with a lawyer). We know this stuff is complicated, but it is your responsibility to understand and make sure your app conforms with all local laws, not just the guidelines below. And of course, apps that solicit, promote, or encourage criminal or clearly reckless behavior will be rejected. In extreme cases, such as apps that are found to facilitate human trafficking and/or the exploitation of children, appropriate authorities will be notified.
- 5.1 Privacy
Protecting user privacy is paramount in the Apple ecosystem, and you should use care when handling personal data to ensure you’ve complied with applicable laws and the terms of the Apple Developer Program License Agreement, not to mention customer expectations. More particularly:
- 5.1.1 Data Collection and Storage
- (i) Apps that collect user or usage data must have a privacy policy and secure user consent for the collection. This includes—but isn’t limited to—apps that implement HealthKit or other health/medical technologies, apps that utilize ARKit, Camera APIs, Photo APIs, or other software for depth of facial mapping information, HomeKit, Keyboard extensions, Apple Pay, Stickers and iMessage extensions, include a login, or access user data from the device. Your app description should let people know what types of access (e.g. location, contacts, calendar, etc.) are requested by your app, and what aspects of the app won’t work if the user doesn’t grant permission.
- 5.1.2 Data Use and Sharing
- (i) You may not attempt, facilitate, or encourage others to identify anonymous users or reconstruct user profiles based on data collected from depth and/or facial mapping tools (e.g. ARKit, Camera APIs, or Photo APIs), or data that you say has been collected in an “anonymized,” “aggregated,” or otherwise non-identifiable way. You may not use or transmit someone’s personal data without first obtaining their permission and providing access to information about how and where the data will be used.
- (iii) Data gathered from the HomeKit API or from depth and/or facial mapping tools (e.g. ARKit, Camera APIs, or Photo APIs) may not be used for advertising or other use-based data mining, including by third parties.
- 5.2 Intellectual Property
- 5.2.5 Apple Products: Don’t create an app that appears confusingly similar to an existing Apple product, interface (e.g. Finder), app (such as the App Store, iTunes Store, or Messages) or advertising theme, and don’t misspell Apple product names (i.e., GPS for Iphone, iTunz). Apps and extensions, including third party keyboards and Sticker packs, may not include Apple emoji. iTunes music previews may not be used for their entertainment value (e.g. as the background music to a photo collage or the soundtrack to a game) or in any other unauthorized manner. If your app displays Activity rings, dothey should not modify the look and feel of the rings themselves or thevisualize Move, Exercise, or Stand data they representin a way that resembles the Activity control. The Human Interface Guidelines have more information on how to use Activity rings.