Skip to content

Apple App Store Compliance Audit Report

This document details the findings from a comprehensive audit of the DocuElevate mobile app against Apple's App Store Review Guidelines, Human Interface Guidelines (HIG), and privacy requirements. It covers all areas of compliance, risks for rejection, and recommendations.

Last Audited: March 2026 App Version: 1.0.0 Expo SDK: 54.0.0 Bundle ID: org.docuelevate.mobile

Executive Summary

The DocuElevate mobile app is broadly compliant with Apple's App Store requirements. The following issues were identified and resolved as part of this audit:

Issue Severity Status
Unused fetch background mode declared High ✅ Fixed
Missing privacy manifest for required reason APIs High ✅ Fixed
No account deletion option (Guideline 5.1.1(v)) Critical ✅ Fixed
No Privacy Policy / Terms of Service links in-app High ✅ Fixed
Emoji used as UI icons instead of platform-native icons Medium ✅ Fixed
Missing app version display Low ✅ Fixed
Unused Switch import in ProfileScreen Low ✅ Fixed

1. Human Interface Guidelines (HIG)

1.1 Navigation & Tab Bar ✅

  • The app uses a standard bottom tab bar with three tabs: Upload, Files, and Profile.
  • Tab icons use Ionicons (an icon set that closely maps to Apple's SF Symbols).
  • Active/inactive tab colors follow iOS conventions (#1e40af active, #9ca3af inactive).
  • Header styling uses a solid color background with white text, consistent with iOS navigation bar patterns.

1.2 Icons & Visual Assets ✅

  • App icon: Custom icon.png provided at root level; Expo handles generating all required sizes.
  • Splash screen: Uses branded splash with contain resize mode and matching background color.
  • Adaptive icon (Android): Properly configured with foreground image and background color.
  • Action buttons: Previously used emoji characters (📷, 🖼️, 📄) which render inconsistently across iOS versions. Fixed: Now using Ionicons (camera-outline, images-outline, document-outline).
  • Status indicators: Previously used emoji (✅, ❌, ⏳, ⚙️). Fixed: Now using Ionicons with semantic colors.

1.3 Typography & Colors ✅

  • Uses system fonts (default React Native text rendering uses San Francisco on iOS).
  • Color palette (#1e40af primary blue, semantic reds/greens/grays) provides sufficient contrast ratios.
  • Text sizes follow iOS recommended minimums (body text ≥ 13pt).

1.4 Touch Targets ✅

  • All interactive elements have minHeight: 44 or minHeight: 48 (meets Apple's 44×44pt minimum).
  • Back links, cancel buttons, and retry buttons all meet minimum touch target requirements.

1.5 Safe Areas ✅

  • The app uses react-native-safe-area-context (SafeAreaProvider) to respect device notches, Dynamic Island, and home indicator.

1.6 Dark Mode ✅

  • userInterfaceStyle: "automatic" is set in app.json, enabling automatic dark mode support.

2. Privacy & Data Usage

2.1 Permission Descriptions ✅

All iOS permission strings (Info.plist keys) are present and provide clear, specific descriptions of why each permission is needed:

Permission Key Description
Camera NSCameraUsageDescription "DocuElevate uses the camera to scan QR codes for login and to capture documents for upload."
Photo Library (Read) NSPhotoLibraryUsageDescription "DocuElevate accesses your photo library to select documents for upload."
Photo Library (Write) NSPhotoLibraryAddUsageDescription "DocuElevate saves scanned documents to your photo library."

Assessment: All descriptions clearly explain the purpose, which is a requirement for App Review approval.

2.2 Push Notifications ✅

  • Push notification permission is requested at runtime (not at launch) when the user enters the authenticated area.
  • The app works gracefully without push notifications if permission is denied.
  • Device tokens are registered via a dedicated backend endpoint.

2.3 Background Modes ✅ (Fixed)

  • Previous state: UIBackgroundModes included ["fetch", "remote-notification"].
  • Issue: The app does not implement background fetch (application:performFetchWithCompletionHandler:). Apple may reject apps that declare background modes they don't actively use (Guideline 2.5.4).
  • Fix: Removed fetch from UIBackgroundModes. Only remote-notification remains, which is required for push notification delivery.

2.4 Privacy Manifest ✅ (Fixed)

Starting in Spring 2024, Apple requires a privacy manifest (PrivacyInfo.xcprivacy) for apps using specific APIs. The following required reason APIs are used by the app's dependencies:

API Category Reason Code Justification
NSPrivacyAccessedAPICategoryUserDefaults CA92.1 Used by @react-native-async-storage/async-storage for user preferences
NSPrivacyAccessedAPICategoryFileTimestamp C617.1 Used by expo-file-system to read file metadata
NSPrivacyAccessedAPICategoryDiskSpace E174.1 Used by Expo runtime for storage space checks
NSPrivacyAccessedAPICategorySystemBootTime 35F9.1 Used by React Native's timing APIs

The privacy manifest is configured via expo-build-properties plugin in app.json, which ensures it is included in the generated Xcode project during EAS Build.

2.5 Tracking & Analytics ✅

  • NSPrivacyTracking: false — the app does not track users.
  • NSPrivacyCollectedDataTypes: [] — no data types are collected for tracking.
  • No analytics SDKs (Firebase Analytics, Amplitude, Mixpanel, etc.) are included.
  • No App Tracking Transparency (ATT) prompt is needed.

2.6 Encryption Declaration ✅

  • ITSAppUsesNonExemptEncryption: false — the app uses only standard HTTPS/TLS for network communication, which is exempt from export compliance requirements.

2.7 Data Storage Security ✅

  • API tokens are stored in the device keychain via expo-secure-store (uses iOS Keychain Services).
  • No sensitive data is stored in AsyncStorage or UserDefaults.
  • Server URL is stored in secure storage, not in plain text files.

3. App Store Review Guidelines Compliance

3.1 Functionality (Guideline 2.x) ✅

  • 2.1 App Completeness: The app provides a complete, functional experience. All advertised features (camera capture, file upload, document list, push notifications) work as described.
  • 2.3 Accurate Metadata: App name ("DocuElevate"), description, and screenshots should accurately reflect the app's functionality.
  • 2.5.4 Background Modes: Only remote-notification is declared, which is actively used. ✅ Fixed.

3.2 Content & Intellectual Property (Guideline 3.x) ✅

  • No third-party trademarked content is used.
  • The app does not display user-generated content publicly (documents are private to each user).
  • No copyrighted content is bundled with the app.

3.3 Business (Guideline 3.1.x) ✅

  • The app does not include in-app purchases, subscriptions, or payment processing.
  • No physical goods or services are sold through the app.
  • Authentication is handled via self-hosted or enterprise SSO — no Apple Sign-In requirement applies (Apple Sign-In is required only when third-party social login options like Google/Facebook are offered as the primary login method; enterprise SSO to a self-hosted server is exempt).

3.4 Safety & Privacy (Guideline 5.x) ✅

  • 5.1.1 Data Collection and Storage: The app collects only what is necessary for its functionality (server URL, auth token, push token).
  • 5.1.1(v) Account Deletion: ✅ Fixed. Users can now initiate account deletion from the Profile screen, which opens the server's account deletion page in the browser.
  • 5.1.2 Data Use and Sharing: No data is shared with third parties or used for advertising.

3.5 Privacy Policy ✅ (Fixed)

  • Requirement: Apple requires all apps to have an accessible privacy policy.
  • Fix: Privacy Policy and Terms of Service links are now accessible from the Profile screen, opening the server's hosted policy pages.
  • App Store Connect: The privacy policy URL must also be provided in App Store Connect during submission.

3.6 Login & Authentication ✅

  • Two login methods are available: SSO (browser-based OAuth) and QR code scanning.
  • Both methods provide clear error messages on failure.
  • The app correctly handles authentication cancellation.
  • Session restoration on app launch is implemented.
  • Demo Account: For App Review, a demo account may need to be provided in App Store Connect's review notes. Ensure the review team can access a test server.

4. Technical Compliance

4.1 API Usage ✅

  • No private APIs are used (all functionality comes from Expo SDK and React Native public APIs).
  • No deprecated APIs are used that would trigger rejection.

4.2 Network Security ✅

  • The app validates server URLs require http:// or https:// scheme.
  • All API calls use Bearer token authentication over HTTPS.
  • App Transport Security (ATS) is not explicitly disabled — default iOS ATS rules apply.

4.3 Deep Linking ✅

  • Custom URL scheme docuelevate:// is properly registered.
  • Deep link handling for QR login (docuelevate://qr-login) and file sharing is implemented correctly.
  • WebBrowser.openAuthSessionAsync is used for OAuth, which properly handles the authentication session lifecycle.

4.4 Document Handling ✅

  • CFBundleDocumentTypes properly declares supported file types.
  • LSSupportsOpeningDocumentsInPlace: false ensures iOS copies shared files to the app's accessible Inbox directory, avoiding security-scoped URL issues.
  • The +not-found.tsx handler correctly intercepts iOS "Open In…" file paths.
  • UploadScreen uses expo-file-system to copy external files to cache before uploading for reliable file access.

4.5 Crash Resistance ✅

  • All network calls are wrapped in try/catch blocks.
  • Error states are displayed to users with actionable recovery options (retry buttons).
  • Permission denials are handled gracefully with explanatory messages.

5. Onboarding & First-Run Experience

5.1 Welcome Screen ✅

  • Clean, informative welcome screen with app branding and feature highlights.
  • Clear "Get Started" call-to-action leading to the login screen.
  • No misleading claims or functionality promises.

5.2 Login Flow ✅

  • Server URL entry with input validation.
  • Two clear authentication options (SSO and QR code).
  • Error handling with user-friendly alert dialogs.
  • Back navigation available from all auth screens.

5.3 First-Run Permissions ✅

  • Camera permission is requested at the point of use (when tapping Camera button), not at launch.
  • Photo library permission is requested at the point of use.
  • Push notification permission is requested after authentication, not before.
  • All permission requests include clear usage descriptions.

6. Remaining Recommendations

6.1 App Store Connect Preparation

Before submission, ensure the following are configured in App Store Connect:

  • [ ] Privacy Policy URL — must point to the server's /privacy endpoint
  • [ ] App Store description — accurate description of features
  • [ ] Screenshots — for iPhone and iPad (since supportsTablet: true)
  • [ ] App category — "Business" or "Productivity"
  • [ ] Age rating — complete the questionnaire (likely 4+)
  • [ ] Review notes — provide demo server URL and test credentials for the Apple review team
  • [ ] Privacy Nutrition Labels — declare data types collected (device ID for push notifications, authentication tokens)

While the app includes accessibilityRole and accessibilityLabel on interactive elements, consider:

  • Adding accessibilityHint to buttons where the action isn't immediately obvious.
  • Testing with VoiceOver to ensure all screens are fully navigable.
  • Ensuring all status changes are announced to screen readers.

6.3 iPad Support

The app declares supportsTablet: true. Ensure:

  • UI scales appropriately on iPad screen sizes.
  • Split View and Slide Over multitasking work correctly.
  • Touch targets remain accessible on larger screens.

6.4 Localization (Future Enhancement)

  • The app currently uses English-only strings.
  • For broader App Store reach, consider localizing the app name, description, and in-app strings.

7. Compliance Checklist Summary

Area Status Notes
Human Interface Guidelines ✅ Pass Ionicons used for platform-consistent iconography
App Icons & Visual Assets ✅ Pass All required assets provided
Device Data Usage ✅ Pass Camera, photos, notifications properly handled
Privacy Disclosures ✅ Pass Info.plist keys and privacy manifest configured
Background Modes ✅ Pass Only remote-notification declared
Restricted APIs ✅ Pass No private or deprecated APIs used
Content Standards ✅ Pass No misleading or inappropriate content
Functionality ✅ Pass Complete, functional app experience
Business Model ✅ Pass No IAP conflicts
Safety & Privacy ✅ Pass Account deletion available, privacy policy linked
Onboarding ✅ Pass Clear, permission-respectful first-run experience
Privacy Manifest ✅ Pass Required reason APIs declared

References