Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e33ddf3002631303009a57d972c725fa8961686c
Kordant/iOS/docs/reviewer-notes.md
Michael Freno e33ddf3002 feat: complete Tasks 21-28 — backend integration, security hardening, UI tests & CI 
- Add Apple Sign-In backend (JWKS verification, account linking, session management)
- Implement push notification deep linking with NotificationDeepLinkRouter
- Add jailbreak detection, runtime integrity monitoring, secure enclave service
- Implement OAuth social login, token refresh, and secure logout flows
- Add image caching (memory/disk), optimizer, upload queue, async semaphore
- Implement notification analytics, type preferences, and category setup
- Expand UI test suite with UITestBase, accessibility, auth flow, performance tests
- Add CI pipeline for iOS UI tests (3 device sizes) and performance benchmarks
- Restructure Xcode project to manual groups with KordantWidgets target
- Add SwiftLint, Swift Collections/Algorithms/GoogleSignIn dependencies
- Update project.yml for XcodeGen with new targets and configurations
2026-06-02 15:01:38 -04:00

6.4 KiB
Raw Blame History

App Store Review Notes

For Apple App Review Team — Kordant v1.0.0

Demo Account

Use the following credentials to test the app:

Field Value
Email reviewer@kordant.ai
Password Review2026!
Account type Basic (free tier)

This account has:

  • Completed onboarding
  • 3 sample alerts (exposure, breach, voice match)
  • 2 watchlist items (email + phone)
  • Active subscription status
  • Push notifications enabled

Key Features to Test

1. Authentication Flow

  1. Launch the app → see login screen
  2. Enter demo credentials → authenticate
  3. See onboarding (if using fresh account) → 4-step flow
  4. After onboarding → ATT explanation screen → choose Continue or Skip
  5. Land on Dashboard

2. Social Sign-In

  1. From login screen → "Sign in with Apple" → native Apple Sign-In sheet
  2. From login screen → "Continue with Google" → native Google Sign-In flow
  3. Both flows complete authentication and land on Dashboard

3. Dashboard (Home Tab)

  1. Threat Score gauge with animated progress ring
  2. Recent alerts list with severity badges
  3. Service summary cards (5 services)
  4. Quick action buttons (Scan, Alerts, Profile, Settings)
  5. Pull-to-refresh to reload data
  6. Deep link from push notification → specific alert detail

4. Services (Tab 2)

  1. DarkWatch — Dark web monitoring, watchlist management, exposure tracking
  2. VoicePrint — Voice enrollment for AI cloning detection, call analysis settings
  3. SpamShield — Call/SMS spam protection, blocked numbers, spam rules
  4. HomeTitle — Property title monitoring, add/remove properties
  5. Remove Brokers — Data broker removal requests, listing tracking

5. Alerts (Tab 3)

  1. List of all alerts with severity indicators
  2. Pull-to-refresh
  3. Pagination (infinite scroll)
  4. Tap alert → detail view with full context
  5. Mark as read / resolve alert

6. Settings (Tab 4)

  1. Account section — edit name/email, save changes
  2. Subscription section — current plan, renewal date, upgrade button
  3. Preferences — theme (light/dark/system), push notifications, biometric auth
  4. Voice Call Analysis — toggle, auto-block synthetic, audio retention
  5. Privacy & Analytics — ATT status, enable/disable analytics
  6. Siri Shortcuts — configure shortcuts for common actions
  7. SpamShield Protection — manage spam rules
  8. Family Group — invite family members
  9. Danger Zone — log out

7. Account (Tab 5)

  1. Profile with avatar and contact info
  2. Log out button

Complex Features Explained

App Tracking Transparency (ATT)

  • The app shows a pre-dialog explanation screen before the system ATT prompt
  • This explains what data may be collected and why
  • User can choose "Continue" (shows system prompt) or "Skip" (anonymous analytics only)
  • Analytics respects the user's choice — no tracking without consent
  • User can change their choice in Settings → Privacy & Analytics

Subscription Model (Web Billing)

  • Subscriptions are managed via Stripe Customer Portal (web billing)
  • The "Upgrade Plan" button opens the billing portal in Safari
  • This is compliant with App Store Guidelines because:
    • Subscriptions are for access to monitoring services (not digital content consumed within the app)
    • The service runs server-side (dark web scanning, data broker monitoring)
    • Web billing is appropriate for service-based subscriptions

Jailbreak Detection & Degraded Mode

  • On launch, the app runs security checks (jailbreak detection, runtime integrity)
  • If a jailbreak is detected, the app enters "degraded mode":
    • Security warning banner displayed
    • Biometric auth disabled
    • Sensitive data access restricted
    • All activity logged
  • The app remains functional but with reduced capabilities on compromised devices

CallKit SpamShield Extension

  • The app includes a Call Directory extension for spam call filtering
  • Blocked numbers are synced from the server every 15 minutes
  • The extension reloads when new numbers are added/removed
  • Requires user to enable Call Screening in Settings → Phone → Call Blocking & Identification

Siri Shortcuts

  • Siri intents are donated after onboarding completion
  • Available shortcuts:
    • "Check my alerts with Kordant" → opens alerts tab
    • "Run a scan with Kordant" → triggers dark web scan
    • "Check my threat score with Kordant" → opens dashboard

Home Screen Widgets

  • Small: Threat score gauge
  • Medium: Threat score + 2 recent alerts
  • Large: Full dashboard with score, alerts, stats, quick actions
  • Widgets refresh every 15 minutes via background fetch
  • Widget data shared via App Group container

Background Modes

The app uses two background modes:

  1. Background Fetch — Refreshes data every ~15 minutes
  2. Remote Notifications — Receives push notifications for alerts

Both are declared in Info.plist under UIBackgroundModes.

Push Notification Deep Links

Push notifications deep link to specific screens:

  • screen: "alerts" + id → specific alert detail
  • screen: "alerts" → alerts tab
  • screen: "dashboard" → dashboard
  • screen: "settings" → settings
  • screen: "darkwatch" → DarkWatch service
  • screen: "voiceprint" → VoicePrint service
  • screen: "spamshield" → SpamShield service
  • screen: "removebrokers" → Remove Brokers service

Privacy

  • Privacy manifest (PrivacyInfo.xcprivacy) declares all data collection
  • No tracking across third-party apps or websites (NSPrivacyTracking: false)
  • Data collected: Name, Email, Audio (voice samples), User ID, Device ID, Product Interaction, Crash Data
  • Data linked to user: Name, Email, Audio, User ID, Device ID
  • Data unlinked: Product Interaction, Crash Data
  • No third-party tracking domains

Notes for Reviewer

  1. First launch experience: The app shows onboarding → ATT explanation → Dashboard
  2. If ATT is skipped: Analytics runs in anonymous mode (no IDFA, no device identifiers)
  3. If notifications are denied: App functions normally, just no push alerts
  4. If biometric is unavailable: Falls back to password-only authentication
  5. Offline behavior: App caches data and syncs when connection is restored
  6. Error states: All network failures show user-friendly error messages with retry option

Contact

If you have questions during review, please use the App Store Connect messaging system.

Reference in New Issue View Git Blame Copy Permalink