aws-sdk-cpp icon indicating copy to clipboard operation
aws-sdk-cpp copied to clipboard

Published 20 hours ago verified publisher icon aws

App Store rejection due to private API usage on iOS

Open ttgil opened this issue 4 years ago • 15 comments

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug

iOS app using the static AWS C++ SDK was rejected after upload for the following reason:

"ITMS-90338: Non-public API usage - The app references non-public symbols in <App Name>: _CCCryptorGCMAddAAD, _CCCryptorGCMAddIV, _CCCryptorGCMFinal. "

These function calls are present in CryptoImpl.cpp's AES_GCM_Cipher_CommonCrypto implementation

SDK version number

Submitted app using SDK version 1.7.365, but the same calls appear to be in the latest master, as well.
Only using the following libraries: core;s3;transfer

Platform/OS/Hardware/Device

XCode 12.3 targeting iOS 12+

To Reproduce (observed behavior)

App submission rejected by Apple on iOS App Store

Expected behavior

No private API usage on Apple platforms.

Logs/output

Additional context

Would appreciate a patch/fix for the 1.7.x line, since updating to a newer version of the SDK came with a host of other performance issues due to the way we're using the S3 APIs.

ttgil avatar Apr 15 '21 12:04 ttgil

Hi @ttgil, Just as a quick check but, looking around it seems like a common cause for these warnings is the apps being build for debug instead of release, can you verify that is not the case for you? As a side note, I don't think we would change previous versions as it could introduce breaking changes, but maybe you could implement them on your own fork once we figure out what the root cause is?

KaibaLopez avatar Apr 19 '21 19:04 KaibaLopez

Hi, I can confirm the app is built in release mode (xcode "build for archiving" and then submit to the app store from there), and the AWS static libraries were built in release mode. In addition, I explicitly ran strip -S on each of the aws libraries and tried to submit again with the same rejection. Apple is detecting the use of these non-public API's in the aws library itself. And this appears to be correct in the sense that these private api function calls can, in fact, be found in CryptoImpl.cpp. Would be happy to get any kind of patch or workaround that doesn't require us to update to the 1.8.x release line.

ttgil avatar Apr 20 '21 19:04 ttgil

After submitting a request for Apple's help via the Feedback Assistant, all I got from them was:

Screen Shot 2021-05-10 at 2 34 09 PM

Been stuck without the ability to update our app for a month now. Would appreciate some help or a workaround.

ttgil avatar May 10 '21 18:05 ttgil

I'm also unable to publish my MacOS app to the App Store due to this api usage. Do you plan to fix this?

MartinDelille avatar Jun 16 '21 14:06 MartinDelille

@KaibaLopez any updates?

ttgil avatar Jun 17 '21 12:06 ttgil

Hi, Sorry for the lack of response here, but could you tell me what package manager are you using? And could you paste the manifest here?

KaibaLopez avatar Jun 17 '21 22:06 KaibaLopez

No package manager, we built the static C++ libraries from source... correct me if I'm wrong, but don't package managers like cocoapods only provide the Objective-C SDK for iOS?

ttgil avatar Jun 17 '21 23:06 ttgil

Personally I'm using conan (and I submitted the aws-sdk-cpp recipe to the conan center index.

MartinDelille avatar Jun 18 '21 14:06 MartinDelille

This needs to be fixed.

huklen avatar Jul 13 '21 20:07 huklen

This needs to be fixed.

huklen avatar Jul 13 '21 20:07 huklen

I was able to work around the issue by recompiling the SDK against OpenSSL... will be migrating our backend off AWS as soon as possible.

ttgil avatar Jul 13 '21 20:07 ttgil

I was able to work around the issue by recompiling the SDK against OpenSSL... will be migrating our backend off AWS as soon as possible.

I see, would you mind sharing how you went about doing that? I need a workaround asap and would greatly appreciate it.

Thanks

huklen avatar Jul 13 '21 20:07 huklen

I was able to work around the issue by recompiling the SDK against OpenSSL... will be migrating our backend off AWS as soon as possible.

I see, would you mind sharing how you went about doing that? I need a workaround asap and would greatly appreciate it.

Thanks

First, you have to build OpenSSL and libcurl for iOS, and then, then compile 1.7.365 (static) with the following command:

cmake .. -DSTATIC_LINKING=1 -DBUILD_SHARED_LIBS=no -DTARGET_ARCH=APPLE -DCMAKE_BUILD_TYPE=Release -DBUILD_ONLY="core;s3;transfer" -DENABLE_TESTING=no -Wno-dev -DCMAKE_CXX_FLAGS=-O3 -DCMAKE_INSTALL_PREFIX=/path/to/lib/aws-sdk-cpp-1.7.365 -DCMAKE_OSX_SYSROOT=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.5.sdk -DCMAKE_OSX_ARCHITECTURES=arm64 -DCMAKE_SYSTEM_NAME=Darwin -DCPP_STANDARD=14 -DENABLE_CURL_CLIENT=Yes -DCURL_INCLUDE_DIR=/path/to/lib/curl/ios/include -DCURL_LIBRARY=libcurl -DCMAKE_PREFIX_PATH=/path/tolib/aws-sdk-cpp-1.7.365 -DCMAKE_IOS_DEPLOYMENT_TARGET=“12” -DCMAKE_CXX_FLAGS="-miphoneos-version-min=12.0" -DENABLE_OPENSSL_ENCRYPTION=Yes -DOPENSSL_CRYPTO_LIBRARY=/path/to/lib/openssl-1.1.1k/ios/lib/libcrypto.a -DOPENSSL_SSL_LIBRARY=/path/to/lib/openssl-1.1.1k/ios/lib/libssl.a -DOPENSSL_INCLUDE_DIR=/path/to/lib/openssl-1.1.1k/ios/include

ttgil avatar Jul 22 '21 12:07 ttgil

Thank you for sharing :)

huklen avatar Jul 26 '21 18:07 huklen

This update to conan recipe fix the issue: https://github.com/conan-io/conan-center-index/pull/8554

The key is to enable the ENABLE_OPENSSL_ENCRYPTION flag (thanks @ttgil for sharing).

MartinDelille avatar Jan 04 '22 18:01 MartinDelille

Greetings! Sorry to say but this is a very old issue that is probably not getting as much attention as it deservers. We encourage you to check if this is still an issue in the latest release and if you find that this is still a problem, please feel free to open a new one.

github-actions[bot] avatar Jan 05 '23 00:01 github-actions[bot]