Hi everyone,
I’m working on the JOOD Mobile App, which is an employee/partner-privileged app (not public) for Qatar Foundation (QF) and its partner entities. The app uses corporate domain login / Microsoft login, no public sign up.
Apple Review rejected the app, pointing out violations under:
Guideline 3.2 – Business — App intended for use by a specific organization(s), but distribution selected as public.
Guideline 4.0 / 4.8 – Design / Login Services — The user is forced to leave the app to log in via default browser; no in-app flow or “Safari View Controller” type embedded browsing. Also, uses third-party login, but doesn’t offer an equivalent login option that limits data collection to just name + email, allows email privacy, etc.
Guideline 5.1.1(v) – Data Collection and Storage — App allows account creation but there is no user-initiated delete account option.
I want to fix these rejections and resubmit. Below are the questions / ideas I have, and I would really appreciate feedback / suggestions from folks who’ve resolved similar issues.
My questions / plan:
For distribution, should I switch from Public to a more restrictive distribution (e.g. Custom App, Private Distribution for Business / Enterprise) given that the app is for specific companies / employees only?
For the login flow:
Use of Safari View Controller instead of redirecting to the system browser — is that sufficient to satisfy Apple for “login within app”?
Also, need to add an alternate login option that meets Apple’s criteria under 4.8: limiting collected data, letting email be private, etc. What login services are typically accepted / approved for this?
For account deletion, how do I implement this properly? Should there be a setting within the app, with confirmation, that deletes the user’s data server-side? If some deletion steps happen via website, include link in settings.
Any sample responses / appeals / screenshots from people who successfully got similar apps approved under these guidelines?
Here are the relevant excerpts from Apple’s response:
“Your app is intended to be used by a specific business … but you've selected public distribution …”
“User is taken to the default web browser to sign in … poor user experience … revise to enable users to sign in … in app or using Safari View Controller …”
“Offer another login service that limits data collection to user’s name/email, allows privacy, etc …”
“Include option for account deletion …”
Thanks in advance for any help!
