App Store review and validating social access tokens on server side
2
votes
1
answer
121
views
According to **App Store Review Guideline 5.1.1(v)** :
> An app may not store credentials or tokens to social networks **off of the device** and may only use such credentials or tokens to directly connect to the social network **from the app itself** while the app is in use.
We want to allow the users to link their social accounts to quicker sign in/up to the app.
The user identity can only be validated on the server side given a valid access token, otherwise, anyone can send any random email or account ID and impersonate any other user. Most social networks limit the access token to the IP address where it was issued.
I wonder if there is concrete explanation if perhaps this is justification enough or if sending the token off decide for validation is a black or grey zone. In summary we obviously can't guarantee that we are not going to *use* the access tokens off of the device, because we *send* them to our backend. Is it gonna be a violation of the above guideline (or any other), if we send an access token from mobile to the backend just for verification purposes?
The user identity can only be validated on the server side given a valid access token, otherwise, anyone can send any random email or account ID and impersonate any other user. Most social networks limit the access token to the IP address where it was issued.
I wonder if there is concrete explanation if perhaps this is justification enough or if sending the token off decide for validation is a black or grey zone. In summary we obviously can't guarantee that we are not going to *use* the access tokens off of the device, because we *send* them to our backend. Is it gonna be a violation of the above guideline (or any other), if we send an access token from mobile to the backend just for verification purposes?
Asked by Peter Samokhin
(295 rep)
Jun 28, 2022, 09:49 PM
Last activity: Jan 14, 2025, 06:03 PM
Last activity: Jan 14, 2025, 06:03 PM