1

In an iOS application, When I detect a users improper action (for example posting violent content), I wan't to suspend the user from using my application. The basic idea to implement this feature is to create and save an unique id for each application installs and suspend the usage from server api's.

My question is, how can I implement this feature even if the user re-installs the application, and still pass the Apple's iTunes submission?

I came up with two ways to technically implement this feature, but wondering how Apple would respond.

  1. Store the IDFA (I understand that users can reset the id on their behalf)
  2. Store an app generated udid to the Keychain (which should not be deleted even if the user deletes the app)

I know there are no perfect answers, but would appreciate to discuss this issue with anyone that have tried submitting a similar application, or anyone that is well aware of the Apple's guidelines. Thank you.

Kyosuke Nakajima
  • 105
  • 1
  • 3
  • 7

2 Answers2

1

Apple will reject apps that inappropriately use the IDFA.

If your app does not use server login (at which point, whatever flags you require could be delivered to the client), keychain storage would be the only real solution.

However, if you don't use server login, you block the device, not the user. Is this your intent?

BTW, without server login, a determined user can still get around keychain storage: Reset keychain on the device

Community
  • 1
  • 1
Brad Brighton
  • 2,179
  • 1
  • 13
  • 15
  • Thank you for clearing things out. Yes, I meant to block the device, and I'm not planning to use server login. I am still worried if apple would reject my app when I use the keychain for such feature. Do you have any advise on this? – Kyosuke Nakajima Mar 26 '15 at 04:09
  • 1
    Unless Apple specifically says something (like they do with the use/misuse of the advertising identifier), it's a bit of a guess, but what you're describing is just keychain data like anything else you might store. Nothing raises obvious concern. – Brad Brighton Mar 26 '15 at 04:13
0

You can block a given account. Most people these days key an account with an email address. Some require a credit card (Facebook fully validates accounts using credit card numbers), others require a bank account (PayPal has to send money somewhere!) and it is growing in popularity to request a phone number (Twitter is getting there). In the end, to really be effective, you have to block something that is difficult to produce.

With email, your users can always create a new account. Check out mailinator.com. Alternatively, all you need is one domain to have as many email addresses as you want -- I use five different email accounts daily, and I use about two dozen more on a monthly basis.

Installation ids are ok but users can always just uninstall/reinstall. And if you do manage to get a device-identifying number (easy to do really, even in the post-UDID era) so that you can block a given device, your users can just get a new device, or hack your app to use some random value, or spoof your API with cURL. I own three iPhones, two iPads, two Samsung tabs, three other Android phones, two Mac Book Pros, a mini, two PCs, and I run three virtual Linux boxes, and one virtual XP box. And what happens when somebody sells a blocked device to a non-abusive user?

So just block the user's account, keep excellent log files, and keep fighting the good fight.

QED
  • 9,803
  • 7
  • 50
  • 87