The End of Permanent Eraser in the Mac App Store

17th June 2020 | Programming

I've had a tenuous relationship with the Mac App Store (MAS). The first version of Permanent Eraser to be released on MAS was 2.5.3 over eight years ago. When I tried to release version 2.6.0, it was rejected due to the optional plug-in (which was also present in the previous version). Since this was an important component to Permanent Eraser, I did not bother trying to release 2.6.0 on MAS. Years later I started getting reports from people that Permanent Eraser was not working for them, and I determined the issue was they were running the older MAS version of Permanent Eraser which encountered an issue on macOS Sierra due to that the srm utility had been removed from the operating system. Permanent Eraser 2.6.0 added a custom build of srm which allowed for alternate erasing patterns, but Permanent Eraser 2.5.3 still relied on the version of srm which had previously been supplied by the operating system. I ended up releasing Permanent Eraser 2.7.2 and 2.7.3 onto the Mac App Store without any memorable issues or complications. I did not bother releasing Permanent Eraser 2.8.0 on MAS since the new feature to be able erase protected files required authorization rights, which would not have been permitted in a MAS version of the app. This brings us up to the current version of Permanent Eraser.

Due to the issue where Permanent Eraser 2.8.1 was getting a Gatekeeper warning (Apple cannot check for malicious software) when launching in macOS Catalina, I decided that perhaps submitting the latest version of the app to the Mac App Store would be a workaround for this particular issue until I can resolve it.

It's been several years since the last Mac App Store version of Permanent Eraser and things have certainly changed in that time. Application Loader has been retired and has been replaced by altool and Transporter. The latter tool can upload ipa and pkg files, so I needed to bundle up the Mac app into a package. To do so, I packaged Permanent Eraser using the following (not entirely correct) command:

productbuild --component ./Permanent\ Eraser.app/ /Applications/ PermanentEraser.pkg

I then submitted the app via Transporter, and after a couple minutes of validation, it returned six errors.

ERROR ITMS-90237: "The product archive package's signature is invalid. Ensure that it is signed with your "3rd Party Mac Developer Installer" certificate."

ERROR ITMS-90240: "Unsupported Architectures. Your executable contained the following disallowed architectures: '[i386 (in com.edenwaith.mac.permanenteraser.pkg/Payload/Permanent Eraser.app/Contents/Library/Automator/Erase.action/Contents/MacOS/Erase), none (in com.edenwaith.mac.permanenteraser.pkg/Payload/Permanent Eraser.app/Contents/Library/Automator/Erase.action/Contents/MacOS/Erase)]'. New apps submitted to the Mac App Store must support 64-bit starting January 2018, and Mac app updates and existing apps must support 64-bit starting June 2018."

ERROR ITMS-90240: "Unsupported Architectures. Your executable contained the following disallowed architectures: '[i386 (in com.edenwaith.mac.permanenteraser.pkg/Payload/Permanent Eraser.app/Contents/Library/Automator/EraseFreespace.action/Contents/MacOS/EraseFreespace), none (in com.edenwaith.mac.permanenteraser.pkg/Payload/Permanent Eraser.app/Contents/Library/Automator/EraseFreespace.action/Contents/MacOS/EraseFreespace)]'. New apps submitted to the Mac App Store must support 64-bit starting January 2018, and Mac app updates and existing apps must support 64-bit starting June 2018."

ERROR ITMS-90240: "Unsupported Architectures. Your executable contained the following disallowed architectures: '[i386 (in com.edenwaith.mac.permanenteraser.pkg/Payload/Permanent Eraser.app/Contents/Library/Automator/EraseTrash.action/Contents/MacOS/EraseTrash), none (in com.edenwaith.mac.permanenteraser.pkg/Payload/Permanent Eraser.app/Contents/Library/Automator/EraseTrash.action/Contents/MacOS/EraseTrash)]'. New apps submitted to the Mac App Store must support 64-bit starting January 2018, and Mac app updates and existing apps must support 64-bit starting June 2018."

ERROR ITMS-90240: "Unsupported Architectures. Your executable contained the following disallowed architectures: '[i386 (in com.edenwaith.mac.permanenteraser.pkg/Payload/Permanent Eraser.app/Contents/MacOS/Permanent Eraser, com.edenwaith.mac.permanenteraser.pkg/Payload/Permanent Eraser.app/Contents/Resources/srm), none (in com.edenwaith.mac.permanenteraser.pkg/Payload/Permanent Eraser.app/Contents/Resources/srm)]'. New apps submitted to the Mac App Store must support 64-bit starting January 2018, and Mac app updates and existing apps must support 64-bit starting June 2018."

WARNING ITMS-90788: "Incomplete Document Type Configuration. The CFBundleDocumentTypes dictionary array in the 'com.edenwaith.mac.permanenteraser' Info.plist should contain an LSHandlerRank value for the CFBundleTypeName 'All' entry. Refer to https://developer.apple.com/library/archive/documentation/General/Reference/ InfoPlistKeyReference/Articles/CoreFoundationKeys.html#//apple_ref/doc/uid/TP40009249-SW1 for more information on the LSHandlerRank key."

Lovely. Fortunately, most of these issues were relatively easy to fix.

Code Signing a Package

For the first issue, I originally thought it was questioning which certificate I used to sign the app. My code signing of the app was correct, it was code signing the package file which I forgot to do. I logged into the Apple Developer portal and created a new Mac Installer Distribution certificate which I could use to properly sign the pkg file. Once I had the new certificate, I then built and signed the package:

productbuild --component ./Permanent\ Eraser.app/ /Applications/ PermanentEraser.pkg --sign "3rd Party Mac Developer Installer: John Doe (12AB34567C)"

Removing the Fat

For years, Apple has been heavily "encouraging" developers to ensure that their software is entirely 64-bit compliant. Things ultimately came to a head with the release of macOS Catalina which disallowed any 32-bit software and brought about the end to older applications and frameworks. Current trending predictions are that Apple will soon announce that they will be transitioning their Macs over to ARM processors, and if so, the movement towards 64-bit software might have been part of a multi-year plan.

Four of the warnings complain about the presence of any non-64 Intel architectures. There are two different command line tools which can be used to see what architectures are present in a binary: file and lipo. The following displays what architectures were present in the secure removal utility srm:

% file srm
srm: Mach-O universal binary with 4 architectures: [ppc_7400:Mach-O executable ppc_7400] [x86_64:Mach-O 64-bit executable x86_64]
srm (for architecture ppc7400):	Mach-O executable ppc_7400
srm (for architecture ppc64):	Mach-O executable ppc64
srm (for architecture i386):	Mach-O executable i386
srm (for architecture x86_64):	Mach-O 64-bit executable x86_64

% lipo -info srm
Architectures in the fat file: srm are: ppc7400 ppc64 i386 x86_64 

The results show that srm contained four architectures, two for PowerPC (ppc7400 and ppc64), and two for Intel (i386 and x86_64). To remove the unwanted architectures, we use lipo, a utility which does what it sounds like: it sucks out the fat from a fat binary.

% lipo -remove ppc7400 srm -o srm
% lipo -remove ppc64 srm -o srm
% lipo -remove i386 srm -o srm
% lipo -info srm
Architectures in the fat file: srm are: x86_64

After this "surgery", srm has been slimmed down so it now only contains the 64-bit Intel architecture.

LSHandlerRank

The last issue was relatively trivial, but did require a bit of research to determine how I was going to fix the issue. I ultimately just needed to add the LSHandlerRank key-value pair in the app's Info.plist file. As things change over time, Apple's requirements and expectations have, as well, including minor issues such as this.


<key>CFBundleDocumentTypes</key>
<array>
	<dict>
		<key>CFBundleTypeExtensions</key>
		<array>
			<string>*</string>
		</array>
		<key>CFBundleTypeName</key>
		<string>All</string>
		<key>CFBundleTypeOSTypes</key>
		<array>
			<string>****</string>
		</array>
		<key>CFBundleTypeRole</key>
		<string>Editor</string>
		<key>LSHandlerRank</key>
		<string>Alternate</string>
	</dict>
</array>

Now that I had fixed these six issues, I resubmitted the build, and it passed the automatic verification step. Next came the real fun: the App Review.

App Review: Round 1 - Prepopulating the Full Disk Access List

One thing I found recently is that reviews for Mac apps tend to occur within a couple of hours of being submitted during the weekdays, whereas an iOS app can take around a day (which is still far better than the 10-14 day review process it used to take). So I ended up getting my first reviewer rejection fairly quickly.

Guideline 2.1 - Performance

We discovered one or more bugs in your app when reviewed on Mac running macOS 10.15.4.

Specifically, your app does not display in the Full Disk Access menu to be enabled for use.

In my initial testing of Permanent Eraser 2.9.0 (which predated PE 2.8.1), I saw Permanent Eraser listed in the Full Disk Access list, but in later builds of Permanent Eraser 2.8.1, I was no longer seeing that listed. To detect if Full Disk Access needed to be enabled, I checked to see if the user's Trash could be read. If not, then I assumed that Full Disk Access was not enabled. The extra trick here is that the code needs to try and access the contents of the Trash to act as the trigger so that Permanent Eraser would be pre-populated in the Full Disk Access list.

Once I updated my code, I submitted the app again.

App Review: Round 2 - Rejected for the Help Files

Design Preamble

The user interface of your app is not consistent with the macOS Human Interface Guidelines.

Specifically, we found that the content gets cut off when resizing the app window to a smaller size. When resizing it to the minimum size, the content disappears.

Upon initially reading this rejection, I was confused. The Permanent Eraser window does not resize, so I did not understand what their complaint would be or how the app was not adhering to good HIG. Fortunately, a screenshot was attached...of the help viewer. Since Catalina displays a more narrow help viewer window, the landing page of the help files were cut off on the right (but easily visible by resizing the window). I rejected this rejection and notified the reviewer that this was not a valid complaint and that these help files are based off of one of Apple's own templates! Still, I begrudgingly acquiesced and updated the main help page. Fortunately, my past experience as a web developer came in handy as I made some small updates to the page so it would flow better with smaller display ports. It was a ridiculous reason to reject the app, in my opinion, but I continued to play ball with Apple and made the necessary changes before submitting another build.

App Review: Round 3 - Potentially Harmful

Guideline 2.4.2 - Performance - Hardware Compatibility

Your app contains features, which when used, may cause damage to the user's device.

Specifically, your app overwrites data numerous times in order to "securely erase" it.

You know that scene where Clark Griswald goes on a swearing rant and eventually asks where the Tylenol is? I was definitely feeling those vibes by this point. Now the app was getting rejected for its primary purpose to securely erase files! I carefully explained to the reviewer that the app does not overwrite data numerous times on newer SSDs (which is effectively pointless), and that functionality is reserved for mechanical hard drives. I pointed out that this safeguard has been in Permanent Eraser for the past eight year since version 2.6.0. The following is even stated in the help files:

Per Permanent Eraser's help files: "Files which reside on a Solid State Drives (SSD) will only be overwritten once, due to the wear leveling technique used by SSDs when writing to the drive."

Despite my appeal, Apple continued to reject the app. However, a subsequent response did at least reveal a little bit more information.

Guideline 2.4.2 - Performance - Hardware Compatibility

Your app contains features, which when used, may cause damage to the user’s device.

Specifically, your app securely erase files from system.

Additional Notes:
There was a Policy change regarding file erasing apps since your last update.

Considering that any other file erasing app listed on the Mac App Store hadn't been updated in at least a year, I wouldn't be surprised if this was a new policy that was instituted, but never clearly defined or announced. This hinted that Apple had "altered the deal" once again, but without explicitly dictating what and why they were rejecting apps like Permanent Eraser.

Even after I explicitly described (and showed the documentation) that PE does not perform multiple overwrites of files which are on SSDs, they continued to reject my submission. I can understand why Apple no longer supports secure file erasing and removed it from macOS several years ago, their deafness to developers has been incredibly frustrating and infuriating.

While the Mac App Store version has never been my main focus, it has been frustrating to see that Apple has continued making the Mac more and more restrictive and frustrating to develop for. By this point, I was resigned that Permanent Eraser 2.8.1 was not going to make it into the Mac App Store.

App Review: Final Round - Threatened App Removal

A day after the last rejection, I got this "Policy Notification" from Apple:

From Apple
2.4.2 - Efficient power use

Please review this information carefully as it impacts your app’s availability on the App Store and requires your immediate action.

Hello,

We are writing to let you know about new information regarding your app.

Upon re-evaluation, we found that your app is not in compliance with the App Store Review Guidelines. Specifically, we found your app is in violation of the following:

Guideline 2.4.2 - Performance - Hardware Compatibility

Your app contains features, which when used, may cause damage to the user's device.

Specifically, your app overwrites data numerous times in order to “securely erase” it.

Next Steps

To resolve this issue, please revise your app to remove any feature that may result in damaging the user's device. Apps should not rapidly drain the device battery, generate excessive heat, or put unnecessary strain on device resources – this includes cryptocurrency mining in the background or in third-party advertisements.

To ensure there is no interruption of the availability of your app on the App Store, please submit an update within two weeks of the date of this message. If we do not receive an update compliant with the App Store Review Guidelines within two weeks, your app will be removed from sale. Please note, if your app is found to be out of compliance for any reason and rejected after the time period provided has elapsed, your app will be removed from sale until a compliant update is submitted, approved and released to the App Store.

In order to return your app to the App Store, you will need to submit an updated version for review which addresses these issues.

If you have any questions about this information, please reply to this message to let us know.

Best regards,

App Store Review

Ever had those moments when someone spits in your face, and then later follows up with a kick to the teeth? I'd probably be more insulted by this backhand from Apple if I hadn't already accepted that an update to Permanent Eraser in the Mac App Store was a lost cause by this point.

Right now, I am far from the only one right now having a dispute with Apple and their app store policies. Fortunately, Permanent Eraser has a better alternative as an independent app which does not need to be as restrained by the Mac App Store guidelines. If Permanent Eraser had been an iOS app undergoing such scrutiny, the only options would be change or die.

If Apple makes good their promise/threat, I expect that Permanent Eraser will be removed from the Mac App Store soon. What I will find more interesting will be if Apple will update their guidelines to explicitly forbid file erasing utilities and if they will also remove other similar apps (a quick search for "file shredder" comes up with 13 different apps on the Mac App Store).

Will Permanent Eraser ever return to the Mac App Store? I have some grand plans for what I'd like to include in Version 3, but depending on how much more Apple continues locking down the Mac, it could severely limit the effectiveness of Permanent Eraser, especially if its capabilities continue to be limited under the Mac App Store restrictions. When Permanent Eraser 3 is released, I'll then evaluate whether it might be a candidate for the Mac App Store, or if it is best left roaming outside of that walled garden.

Even if Permanent Eraser's involvement with the Mac App Store comes to an abrupt end, its progress will continue. Permanent Eraser 2.9.0 is intended as a fast(ish) follow up which will address an animation issue on macOS Mojave and Catalina, and will also take a look at macOS 10.16 which is expected to be announced in several days at WWDC 2020.

References