Access to private Apple APIs prevents acceptance to App Store

[jbelkins]

Describe the bug

The following ticket was filed by a customer on AWS SDK for Swift: awslabs/aws-sdk-swift#1204

Since the source of this issue is likely cryptography components in aws-crt-swift, I am filing this ticket with the original report from the customer.

---

Describe the bug

We are using the AWS SDK to access an S3 bucket on our iOS app. Since the latest Xcode update we are getting a "Non-public API usage" error when we try to upload our iOS app to Test Flight:

ITMS-90338: Non-public API usage - The app references non-public symbols in {PROJECT_NAME}: _CCCryptorGCMAddAAD, _CCCryptorGCMAddIV, _CCCryptorGCMFinal, _CCCryptorGCMFinalize, _CCCryptorGCMSetIV. If method names in your source code match the private Apple APIs listed above, altering your method names will help prevent this app from being flagged in future submissions. In addition, note that one or more of the above APIs may be located in a static library that was included with your app. If so, they must be removed. For further information, visit the Technical Support Information at http://developer.apple.com/support/technical/

We have identified that after removing the AWS SDK from our app, we stopped getting this warning.

Expected Behavior

The AWS SDK shouldn't use any private Apple APIs to apps can be submitted to Test Flight and the App Store.

Current Behavior

We are get the following error when we submit our app to Test Flight:

ITMS-90338: Non-public API usage - The app references non-public symbols in {PROJECT_NAME}: _CCCryptorGCMAddAAD, _CCCryptorGCMAddIV, _CCCryptorGCMFinal, _CCCryptorGCMFinalize, _CCCryptorGCMSetIV. If method names in your source code match the private Apple APIs listed above, altering your method names will help prevent this app from being flagged in future submissions. In addition, note that one or more of the above APIs may be located in a static library that was included with your app. If so, they must be removed. For further information, visit the Technical Support Information at http://developer.apple.com/support/technical/

Here is a screenshot of the Xcode search for one of the restricted APIs:

Reproduction Steps

Integrate the SDK into any iOS app and try to access an object from a private S3 bucket (using IAM credentials).

Possible Solution

No response

Additional Information/Context

No response

AWS SWIFT SDK version used

0.28.0

Compiler and Version used

Xcode 15.0, swift-driver version: 1.87.1 Apple Swift version 5.9

Operating System and version

iOS, any version

Expected Behavior

App including aws-sdk-swift and its dependencies should be accepted for upload by App Store Connect without warning messages or errors.

Current Behavior

App was accepted by App Store Connect, but with the warning above, which would cause rejection if the app were to then be submitted for review.

Reproduction Steps

Upload app to App Store Connect
Observe warning messages generated when upload is processed

(SDK team will provide support to retest this when API changes are made)

Possible Solution

Use only public APIs on Apple frameworks

Additional Information/Context

No response

aws-crt-swift version used

0.13.0

Compiler and Version used

Xcode 15.0 / Swift 5.9

Operating System and version

iOS (any)

---

[jbelkins]

The amplify-swift SDK has a related issue: aws-amplify/amplify-swift#3324

Of note, Amplify reports that the problem does not exist in aws-sdk-swift 0.13.0, which requires aws-crt-swift 0.6.1

[atierian]

Adding some findings from our (amplify-swift) investigation.

It appears that the addition of common_cryptor_spi.h is the culprit here - added in:

• Added 256-bit AES with CBC, CTR, GCM, and Keywrap Modes aws-c-cal#136

I've only been able to reproduce the reported App Store rejection by:

1. distributing a DEBUG build.
   -- or --
2. wrapping Amplify Swift (+ upstream: aws-sdk-swift, aws-crt-swift) in a framework, then linking that framework against my app target.

For 2., here's a simplified example:
AwsCommonRuntimeKit --> MyApp

> xcodebuild archive ...
> nm -m <archive-path>.xcarchive/Products/Applications/my_app.app/my_app | grep CCCryptorGCM # no results

AwsCommonRuntimeKit --> wrapper.framework --> MyApp

> xcodebuild archive ...
> nm -m <archive-path>.xcarchive/Products/Applications/my_app.app/Frameworks/wrapper.framework/wrapper | grep CCCryptorGCM
                 U _CCCryptorGCMAddAAD
                 U _CCCryptorGCMFinalize
                 U _CCCryptorGCMSetIV

Based on a dwarfdump of the framework, these symbols are coming from aws-c-cal/source/darwin/common_cryptor_spi.h.

> llvm-dwarfdump <archive-path>.xcarchive/dSYMs/wrapper.framework.dSYM | grep CCCryptorGCM -A 1
                DW_AT_name	("CCCryptorGCMSetIV")
                DW_AT_decl_file	("/.../checkouts/aws-crt-swift/aws-common-runtime/aws-c-cal/source/darwin/common_cryptor_spi.h")
--
                DW_AT_name	("CCCryptorGCMAddAAD")
                DW_AT_decl_file	("/.../checkouts/aws-crt-swift/aws-common-runtime/aws-c-cal/source/darwin/common_cryptor_spi.h")
--
                DW_AT_name	("CCCryptorGCMFinalize")
                DW_AT_decl_file	("/.../checkouts/aws-crt-swift/aws-common-runtime/aws-c-cal/source/darwin/common_cryptor_spi.h")

From briefly poking around aws-crt-swift, I'm only seeing two files that actually import AwsCCal; neither show an obvious code path to these SPI methods.

• crt/ByteBuffer.swift
• crt/Utilities.swift

[graebm]

Fixed in 0.17.0

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.