App Store rejection due to private API usage on iOS

[StasDzundzaGL]

Describe the bug

iOS app, which uses the latest version of the AWS SDK (1.11.561 static), is being rejected by Apple during the validation process when uploading to App Store Connect. See the current behaviuor and steps to reproduce for more details.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

App Store app bundle validation passes without any issues when app uses the AWS SDK.

Current Behavior

App Store validation fails with the following error message:

The app references non-public symbols in Payload/App.app:
_CCCryptorGCMAddAAD, _CCCryptorGCMFinalize, _CCCryptorGCMSetIV

Reproduction Steps

1. Build OpenSsl and cURL for iOS.
2. Configure AWS SDK as follows:

cmake . -B ./build -G Xcode -Wno-dev -DCMAKE_BUILD_TYPE=Release -DCPP_STANDARD=17
-DBUILD_SHARED_LIBS=OFF -DTARGET_ARCH=APPLE -DBUILD_ONLY="core;cognito-idp"
-DBUILD_DEPS=ON -DENABLE_TESTING=OFF -DAWS_SDK_WARNINGS_ARE_ERRORS=OFF
-DCMAKE_INSTALL_PREFIX=../install/awssdk
-DCMAKE_OSX_SYSROOT=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk
-DCMAKE_OSX_ARCHITECTURES=arm64
-DCMAKE_SYSTEM_NAME=Darwin
-DCMAKE_OSX_DEPLOYMENT_TARGET="13.0"
-DENABLE_CURL_CLIENT=ON
-DCURL_INCLUDE_DIR=/path/to/curl/include
-DCURL_LIBRARY=/path/to/curl/lib/libcurl.a
-DENABLE_OPENSSL_ENCRYPTION=ON
-DUSE_OPENSSL=ON
-DOPENSSL_CRYPTO_LIBRARY=/path/to/openssl/lib/libcrypto.a
-DOPENSSL_SSL_LIBRARY=/path/to/openssl/lib/libssl.a
-DOPENSSL_INCLUDE_DIR=/path/to/openssl/include

3. Build it

cmake --build ./build --config=Release --target install --parallel

4. Link it to your app and try upload it to the App Store

Possible Solution

Maybe allowing of custom openssl and libcrypto usage would resolve the problem.

Additional Information/Context

There was the same issue a long time ago: #1619. Building the SDK with the following arguments -DENABLE_OPENSSL_ENCRYPTION=ON -DOPENSSL_CRYPTO_LIBRARY=/path/to/lib/openssl-1.1.1k/ios/lib/libcrypto.a -DOPENSSL_SSL_LIBRARY=/path/to/lib/openssl-1.1.1k/ios/lib/libssl.a -DOPENSSL_INCLUDE_DIR=/path/to/lib/openssl-1.1.1k/ios/include resolves this issue for old SDK versions (like 1.9.220), but new SDK versions don't use given OPENSSL_SSL_LIBRARY option:

CMake Warning:
  Manually-specified variables were not used by the project:

    OPENSSL_SSL_LIBRARY

AWS CPP SDK version used

1.11.561

Compiler and Version used

Apple clang version 17.0.0 (clang-1700.0.13.3) Target: arm64-apple-darwin24.4.0

Operating System and version

macOS 15.4.1

[sbiscigl]

So those symbols are actually referenced by our dependency aws-c-cal. and it looks like in c-cal they will compile using platform dependent sources even if you explicitly call for -DUSE_OPENSSL=ON. my guess is the behavior that you want is that if you specify -DUSE_OPENSSL=ON you want to only use the openssl that you have specified statically in your build.

Let me talk to the c-cal team about this

[sbiscigl]

Created a PR to create a cmake option to enable AWS_APPSTORE_SAFE in aws-c-cal code.

i.e.

cmake -DAWS_APPSTORE_SAFE=ON

will configure the SDK to be built without the private APIs that trigger the app store rejection. Enabling this however will result in AES-GCM encryption being broken by default. In your use case though you are likely not using that.

In your use case what this will end up looking like is that libcurl will use the statically linked openssl for TLS as expected. However the SDK uses aws-c-cal for several cryptographic hashes and checksum. Most notably for sig-v4 signing. Those will use the apple common crypto implementation. The reason that c-cal does this is to prevent binary size blowup.

If you want to be able to specify to use openssl on mac, would suggest opening a feature request on their repo. Otherwise this cmake argument should get you what you need. Let me know if you have any questions about that explanation.

[StasDzundzaGL]

@sbiscigl I've tested changes in your PR and configured AWS SDK with -DAWS_APPSTORE_SAFE=ON. There is still the following message in the logs:

CMake Warning:
  Manually-specified variables were not used by the project:

    OPENSSL_SSL_LIBRARY

However, since App Store validation passes, I don't think it matters.

The issue can be resolved once your PR is merged. Thank you!

[sbiscigl]

There is still the following message in the logs:

thats saying that cmake argument isnt used by us. any argument you give to cmake that isnt used will emit that error

$ cmake -DFOO=ON ..
-- The C compiler identification is AppleClang 15.0.0.15000309
-- The CXX compiler identification is AppleClang 15.0.0.15000309
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done (1.7s)
-- Generating done (0.0s)
CMake Warning:
  Manually-specified variables were not used by the project:

    FOO

so its safe to remove that argument as it is not used.

App Store validation passes

nice! glad we could help

[sbiscigl]

alright merged change, will be tagged as part of a release this afternoon, resolving. give a shout if you see anything else!

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.