If we're going feudal, it would be a good idea to provide justice to the commoners like feudal lords were obliged to do.
I.e. all these "tech companies" that want people to have accounts (and be heavily invested and/or dependent on them) should not be able to cancel those accounts without due process. This should be a legal requirement for them to operate at all.
'Recently', how long are we talking here? You've already emailed the execs, if they think it's worthy of review they'll assign someone to you, it can take a few days.
Honestly, HN is a great customer support forum considering so many posts actually get treated better than just using the standard customer support (many startups and other companies paying attention to it helps a bunch). It has to have more merit some of the time (this is not to say it is an assessment of what you are saying at all.
Unfortunately you probably need to think abou this from the point of view of an anti-fraud/abuse team. How would you differentiate between a business that had an employee go rogue and a business deliberately trying to cause harm and get away with it?
Claiming you fired the party responsible isn’t very convincing, honestly, especially if it’s hard to verify: was it an alias? did the employee only exist on paper? are they still around just not “employeed”, were they a designated patsy? Nor are claims that you revamped your security, which doesn’t address the root problem of whether it was intentional behaviour or not. And what’s worse, the natural urgency and appeals to emotion that you include in your story are unfortunately widely used tactics by scammers to try to get a human to bend rules to their benefit, and reviewers are trained to treat them as such. You need hard evidence.
How can you demonstrate that you didn’t know what the employee was doing? Have you reported the employee to the police? Is there a criminal case you can point to? Simply having a bad process before could very easily have been an intentional way to avoid knowledge of wrong doing, another common tactic used by criminal orgs.
This post is so light on the details (what? when?) that it’s impossible for me to be supportive.
OP: I suggest being MUCH more transparent when asking for help.
For all we know you are running a scam center support app. Consider the outraged posts that make it to the front page, essentially complaining about how their MLM bitcoin scam has been shut down.
Your issue might not be just the rogue employee leaking certificates, it sounds like you were sharing one Apple Developer account between multiple developers which is also against their T's & C's
Really every developer should have their own account and work on their own machine
If you were all using the one account on the same machine, then Apple has no way of telling who did what
> it sounds like you were sharing one Apple Developer account between multiple developers which is also against their T's & C's
Whether the case or not here (I don't know), taking a look at the big picture: Imagine if in the 90s Apple could come in to a software company and dictate what development practices and account management they must do to ship software for a Mac! Would've been instant outrage. Anyone was free to write and ship software however they liked. How low we have fallen to allow near-monopolies to dictate terms.
I think the earlier comment was asking about transparency about your product. What is it and exactly what does it do? And also what exactly did the rogue employee do?
Some of these detail might allow the community to decide if Apple is being unfair or there is actual cause for concern. We have so far seen a very one-sided story.
I love this thread full of people asking "what did the employee do?" and not "why do Apple and Google have the right to control distribution of all mobile software with no recourse?". It honestly does not matter, in any way, what the employee did. Apple should not be the final arbiter of who is allowed to develop mobile software.
> Apple should not be the final arbiter of who is allowed to develop mobile software.
That is the big picture here. Details aside, one company should not have the power to dictate how developers write software for their customers, just because those happened to purchase hardware from the big company.
If you think of this in terms of how the world existed prior to mobile, it would've been insane for any general purpose compute device (Apple ][, C64, IBM PC, etc).
This is just one of the many risks you take when your app or service is dependent on some other third party service. Even if it is run by 'the big boys' (in this case Apple), your success is dependent on their good graces.
They can kick you out and make your software the equivalent of bricked hardware; without any means to appeal their decisions.
They aren't dependent on a third-party "service", exactly. If you make software for phones, the most popular hardware platform in the world @ 8 billion devices, you are at the complete mercy of Apple/Google, period.
> Even if it is run by 'the big boys' (in this case Apple), your success is dependent on their good graces.
Not "even if" though, it is "particularly if". The big boys don't have to care, so they don't care, because what are you going to do. They have all the power, you have none.
If you are going to depend on a third party it is best to depend on small ones where they need you as a customer as much as you need them as a service. In an equal relationship you can always reach a human to have a dialogue about any issues that arise.
Of course, if you're targeting a mobile platform, you're out of luck. Best to target the open web if at all possible.
I am very sorry for your loss and the harm it is causing you.
Unfortunately, this is one of the risks of handing control over your future to the tyrants who run walled gardens.
While you can't undo the past, the silver lining of this experience is that it has clarified to you that Apple is an abusive, unfair, and unreasonable corporation that you should avoid doing business with.
As an immediate action, I'm sure it's not what you want to hear, but HTML5 and WASM have come a long way, and mobile web applications are increasingly converging on the capabilities of native mobile applications. While a rewrite will not be cheap or easy, ensuring you can offer service to your users without having to ask an abusive tyrant for permission ensures you are at less risk of this kind of tyranny and the disruption and harm it inflicts upon you and your users in the future.
I am sympathetic to the victims of Apple's tyranny (as well as Google's, Microsoft's, and others), and I know I can't solve the problem by myself, but I would like to help in a more material way - do you have a Bitcoin address I can send a donation to?
The lack of empathy in the comments is appalling. This could happen to anyone, and the inability to reach a human to fix it is extremely poor customer service.
Apple is pretty vague on their security practices purposefully so people don't try to game them. They are transparent though in that they are pretty strict 8000 dev account appeals and only 225 reinstatement in 2024 https://discussions.apple.com/thread/256187336?sortBy=rank
Since you fired someone that would suggest you had something more than just a cert leak to a public GitHub. Did your appeal include an rca covering what actions the employee did that you identified then action plan to prevent in future. In Banking security at least and probably pretty similar we would see a lot of scapegoating in submitted rca which was frowned upon. It is failure of process that allowed an employee to do something undetected so identify action, and how it went undetected and your action plan should cover both. Don't rush into spamming them until you are confident in your plan. How is the cert stored on NAS / machine and what access controls on that machine and data loss prevention strategy for your cert. what monitoring to usage of cert do you have/submissions to app store sent to email all have access to or to company lead?
Fire-Dragon-DoL | a day ago
B1FF_PSUVM | a day ago
I.e. all these "tech companies" that want people to have accounts (and be heavily invested and/or dependent on them) should not be able to cancel those accounts without due process. This should be a legal requirement for them to operate at all.
[OP] 0x1f | a day ago
joecool1029 | a day ago
jmkni | a day ago
zitterbewegung | a day ago
Den_VR | a day ago
bombcar | a day ago
CamJN | a day ago
Claiming you fired the party responsible isn’t very convincing, honestly, especially if it’s hard to verify: was it an alias? did the employee only exist on paper? are they still around just not “employeed”, were they a designated patsy? Nor are claims that you revamped your security, which doesn’t address the root problem of whether it was intentional behaviour or not. And what’s worse, the natural urgency and appeals to emotion that you include in your story are unfortunately widely used tactics by scammers to try to get a human to bend rules to their benefit, and reviewers are trained to treat them as such. You need hard evidence.
How can you demonstrate that you didn’t know what the employee was doing? Have you reported the employee to the police? Is there a criminal case you can point to? Simply having a bad process before could very easily have been an intentional way to avoid knowledge of wrong doing, another common tactic used by criminal orgs.
Best of luck.
[OP] 0x1f | a day ago
fn-mote | a day ago
OP: I suggest being MUCH more transparent when asking for help.
For all we know you are running a scam center support app. Consider the outraged posts that make it to the front page, essentially complaining about how their MLM bitcoin scam has been shut down.
[OP] 0x1f | a day ago
jmkni | a day ago
Really every developer should have their own account and work on their own machine
If you were all using the one account on the same machine, then Apple has no way of telling who did what
jjav | 12 hours ago
Whether the case or not here (I don't know), taking a look at the big picture: Imagine if in the 90s Apple could come in to a software company and dictate what development practices and account management they must do to ship software for a Mac! Would've been instant outrage. Anyone was free to write and ship software however they liked. How low we have fallen to allow near-monopolies to dictate terms.
cheema33 | a day ago
Some of these detail might allow the community to decide if Apple is being unfair or there is actual cause for concern. We have so far seen a very one-sided story.
internet2000 | a day ago
1123581321 | a day ago
applfanboysbgon | a day ago
[OP] 0x1f | a day ago
overvale | a day ago
jjav | 12 hours ago
That is the big picture here. Details aside, one company should not have the power to dictate how developers write software for their customers, just because those happened to purchase hardware from the big company.
If you think of this in terms of how the world existed prior to mobile, it would've been insane for any general purpose compute device (Apple ][, C64, IBM PC, etc).
didgetmaster | a day ago
They can kick you out and make your software the equivalent of bricked hardware; without any means to appeal their decisions.
applfanboysbgon | a day ago
[OP] 0x1f | a day ago
endofreach | a day ago
jjav | 12 hours ago
Not "even if" though, it is "particularly if". The big boys don't have to care, so they don't care, because what are you going to do. They have all the power, you have none.
If you are going to depend on a third party it is best to depend on small ones where they need you as a customer as much as you need them as a service. In an equal relationship you can always reach a human to have a dialogue about any issues that arise.
Of course, if you're targeting a mobile platform, you're out of luck. Best to target the open web if at all possible.
napolux | a day ago
How hard it will be to rewrite it for the web?
If it's react native or flutter probably not that hard, you can go back online with some struggle, but it's at least a way.
[OP] 0x1f | a day ago
[OP] 0x1f | a day ago
anonym29 | a day ago
Unfortunately, this is one of the risks of handing control over your future to the tyrants who run walled gardens.
While you can't undo the past, the silver lining of this experience is that it has clarified to you that Apple is an abusive, unfair, and unreasonable corporation that you should avoid doing business with.
As an immediate action, I'm sure it's not what you want to hear, but HTML5 and WASM have come a long way, and mobile web applications are increasingly converging on the capabilities of native mobile applications. While a rewrite will not be cheap or easy, ensuring you can offer service to your users without having to ask an abusive tyrant for permission ensures you are at less risk of this kind of tyranny and the disruption and harm it inflicts upon you and your users in the future.
I am sympathetic to the victims of Apple's tyranny (as well as Google's, Microsoft's, and others), and I know I can't solve the problem by myself, but I would like to help in a more material way - do you have a Bitcoin address I can send a donation to?
[OP] 0x1f | a day ago
stevenalowe | a day ago
clifdweller | 15 hours ago