App's domain being blocked/rerouted by Apple

I have a strange situation and I'm not sure where else to post this. Our app's domain (or at least its API hostname in the domain) resolves to something different only inside of Apple's network.

I was able to get an Apple employee to verify this by resolving the API hostname while on Apple's corporate network and it resolves to an IP that is in Apple's 17.0.0.0/8 network, but everywhere else resolves to the normal IPs. Our domain's DNS is provided by Cloudflare and they are not doing anything special for Apple's network.

This is causing problems during App Review because the app is trying to reach our API to log in and instead is being routed to an IP in Apple's network, so it fails SSL validation and presents an error dialog. App Review is then claiming our app doesn't work and rejecting it. This is an app that has been in the App Store for over a decade and gone through countless app reviews.

App Review was of no help resolving this and I don't know where else to turn. How can I find out why our domain is being rerouted inside of Apple and get this fixed?

Answered by DTS Engineer in 823422022

App Review was of no help resolving this and I don't know where else to turn. How can I find out why our domain is being rerouted inside of Apple and get this fixed?

File a Code-level support request and in that form include the following:

  • A brief note saying that I told you to file the request.

  • The link to this post.

  • The full details about your app and the domain you're trying to reach.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Presumably they have a transparent proxy/cache. This is not unusual for large corporate environments - or indeed whole countries. Typically they install additional SSL root certs on the corporate devices so that they trust the proxy, which impersonates your server.

How exactly is the SSL failing? Are you doing your networking? Do you have some additional checking or non-default SSL settings?

Accepted Answer

App Review was of no help resolving this and I don't know where else to turn. How can I find out why our domain is being rerouted inside of Apple and get this fixed?

File a Code-level support request and in that form include the following:

  • A brief note saying that I told you to file the request.

  • The link to this post.

  • The full details about your app and the domain you're trying to reach.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

As some brief followup for anyone who comes across this thread in the future, I wanted to provide some brief guidance as to what was going on and the best way to address it.

First off, this issue was an example of a VERY rare case where an app is failing in App Review due to a network level issue external to their app. In this particular case, it was a bad DNS entry on our DNS servers but the exact cause isn't really relevant, as every case I've seen of this completely different than every other case.

In any case, if you believe your app might be experiencing something like this, there are a few things to keep in mind:

  • Fundamentally, App Review's role is to test and experience your app as a user would. Network failures are a common reality of modern networking and apps should have a plan in place for how they'll help user investigate and resolve these issues.

  • In general, Apple's network is notably "straightforward", particularly compared to many corporate WiFi networks or other "commercial" networks.

  • As I noted above, this kind of issue this kind of failure is EXTREMELY rare. The FAR more common case is that the app simply doesn't work right. This is why having your own plan and infrastructure in place to and investigate this kind of issue is so important. If your app simply fails, then all your users and App Review can really do is stop using using your app.

On a side note, one specific issue that does come up slightly more often is issues with specific ports being blocked. Our network does block ports, so I do have some specific recommendations on that point:

  • Whenever possible, use the standard port numbers designated for that particular protocol.

  • If you're using a standard but "uncommon" port, then it can be helpful to include that port number in the review notes.

If you're going to use a non-standard port, then I recommend the following:

  • Use a number well outside the "defined" range (22000+).

  • Use a "random" number, "27418" is a better choice than "23000".

  • Do some quick web searching on that port number just in case someone already used that port. Case in point, brief searching will show that 23000 is used by multiple games and malware.

Finally, if you're diagnostic data shows that your app is having an issue that you believe is specifically caused by Apple's network, you should:

  • Use your own diagnostic data to try and diagnose the issue to the best of your ability. The more detail you can provide about the failure, the faster the issue will be resolved.

  • Contact App Review through one of their contact routes and pass all of that information over to them. As part of that, make sure your clear that you believe there is an underlying technical issue you'd like their help resolving, and that you're not just trying to get them to approve your app.

  • You can also contact DTS (as I recommended above) asking for our help, particularly if you need more in depth help with your investigation.

The key point here is that you need to have an issue that can be directly investigated ("I think there is a DNS issue" NOT "my app doesn't work"), then you to escalate the issue for a more in depth investigation, not just resubmit the app or try to complain/communicate through your review notes.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

App's domain being blocked/rerouted by Apple
 
 
Q