ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Package and Test Your Solution
Pass the AppExchange Security Review
Security Review
Required Materials for Security Review Submission
Security Review Steps
Security Review Wizard
False Positives
Submit a Client or Mobile App for Security Review
Submit an Extension Package for Security Review
Security Review Resources
Security Review FAQ
Publish Your Solution on AppExchange
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Submit a Client or Mobile App for Security Review

Most of the client app requirements, and some of the web app requirements, apply to mobile apps. Here are typical scenarios:
  • The mobile app has a component that sits on the customer’s organization. The component is a managed package and follows the security review process for a packaged app.
  • The client app only uses APIs for communicating with Salesforce. In this case, follow the process for an API-only app for security review.

For testing, we ask that you provision us an app for all the platforms that you plan to distribute. We can accept a test flight or an ad hoc deployment for iOS. For other platforms, we can accept the app in a file (APK, COR, and so on). Similar to a composite app, if there are callouts to anything other than Salesforce, we ask for a web application scanner report. We accept Zed Attack Proxy (ZAP) and Burp reports. If the mobile app has a web component, even if it’s optional, Salesforce requires a web application scanner report.