ISVforce Guide

Introduction
ISVforce Quick Start
Designing and Building Your App
Packaging and Testing Your App
Passing the Security Review
Security Review
Security Review Steps
Security Review Wizard
Submit a Client or Mobile App for Security Review
Submit an Extension Package for Security Review
Security Review Resources
Security Review FAQ
Publish Your Offering on the AppExchange
Manage Orders
Managing Licenses
Provide a Free Trial
Supporting Your Customers
Upgrading Your App
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Submit a Client or Mobile App for Security Review

Most of the client app requirements, and some of the web app requirements, apply to mobile apps. Here are typical scenarios:
  • The mobile app has a Force.com component that sits on the customer’s organization. The Force.com component is a managed package and follows the security review process for a packaged app.
  • The client app only uses APIs for communicating with Salesforce. In this case, follow the process for an API-only app for security review.

For testing, we ask that you provision us an app for all the platforms that you plan to distribute. We can accept a test flight or an ad hoc deployment for iOS. For other platforms, we can accept the app in a file (APK, COR, and so on). Similar to a composite app, if there are callouts to anything other than Salesforce, we ask for a web application scanner report. We accept Zed Attack Proxy (ZAP) and Burp reports. If the mobile app has a web component, even if it’s optional, Salesforce requires a web application scanner report.