Developers reported that applications which were made by using Electron (a framework allowing companies to ship web apps in a native app wrapper) are being rejected by the automated Mac App Store review process.
The questionable applications are getting flagged due to their usage of private API calls. Despite the fact that these calls are not in the application itself, they are part of the underlying Electron framework.
The detected private API symbols include:
“CAContext CALayerHost NSAccessibilityRemoteUIElement NSNextStepFrame NSThemeFrame NSURLFileTypeMappings”
Obviously, the Electron framework has used these APIs for years, while in the meantime, Apple has upgraded its server-side app review processes to detect more violations of its App Review guidelines, so now the private API usage is being identified.
As this problem can only be fixed by pushing changes in the Electron code itself, the individual Electron app makers feel rather helpless. Actually, Electron is not doing anything malicious, however, App Review is an absolutely strict process, thus it rejects it.
In fact, it is relatively straightforward for Electron to remove the API references and use alternative approaches but this work hasn’t been done yet, which means that people depending on Electron are currently in a bind.
Some people have been interpreting the app rejections as a crackdown against Electron in the wake of the introduction of Apple’s Catalyst framework that helps developers port native iPad apps to the Mac. However, this theory doesn’t make sense as Apple doesn’t really have an incentive, financial or otherwise, to make developers use Catalyst.
So, in case Mac developers do not want to submit their apps to the App Store, they can publish them independently. However, as of macOS Catalina, applications must be notarized using a registered developer account, so that they can appease the Gatekeeper security model and run on customers’ computers.
Notarization is used for making a digital signature of the application, so that it cannot be tampered with and can be identified by the system later. As this is not a mini app review process, it doesn’t check for private API usage.