To supplement our article about Why you should list your app on the QuickBooks App Store, we want to provide you with tips for succeeding during the technical, security, and marketing review process required to list your application.
Navigating the Intuit app publishing and review process can be daunting. But with the right preparation, you can increase your chances of obtaining a swift approval for listing on the QuickBooks App Store. From making sure your app meets Intuit technical and security standards, to creating a compelling app card for your listing, this article outlines the pitfalls to avoid from the Intuit teams who review your app. We want to help your app get the Intuit stamp of approval it deserves!
Pitfalls to avoid during the Intuit app review process
We’ve made a list of the most common problems that slow down the technical, security, and marketing review process for apps, and have included some tips and links to relevant documentation pages.
Technical review
The technical review process will validate your application against 14 technical requirements. If an app is already published on the QuickBooks App Store and intends to become “accountant ready” we will also perform an accountant review. These same 14 technical requirements will be reviewed annually for applications that are already listed on the QuickBooks App Store.
The technical review team will schedule a call with developers who submit an app for a first-time listing. During the call, the following will be covered:
- An overview of the review process and all of the technical requirements.
- A detailed walkthrough of the application workflow by the developer. This walkthrough should focus on how to create data within the app, as well as how to sync it with QuickBooks Online and vice versa.
Here are the most common problems found during the technical review process:
- Using outdated or unapproved QuickBooks images.
- Make sure you are using the latest QuickBooks logos.
- Make sure you are using the correct “Connect to QuickBooks” image.
- If you use “Sign in with Intuit”, make sure you are using the correct images.
- Misspellings.
- Make sure you spell QuickBooks correctly and do not abbreviate it to QB or QBO. QuickBooks is a trademark product name, and it should always be referenced correctly as “QuickBooks” or “QuickBooks Online”.
- Be sure to review our naming and logo guidelines for this here.
- Complete information isn’t provided to your users about disconnections.
- Disconnecting from the QuickBooks App Store can happen when a user terminates the QuickBooks OAuth connection within your application, or when a user terminates the QuickBooks OAuth connection from the QuickBooks App Store (see Section 2.3 of our technical requirements for more information). The user should be taken to a static page only when they disconnect from the app store. If the user disconnects within your app, they should remain in the app and the “Connect to QuickBooks” button should be visible.
- If you are using Intuit Single Sign On, see Technical requirements Section 4.4 for more details.
- If you are not using Intuit Single Sign On, see Technical requirements Section 5.3 for more details.
- Disconnecting from the QuickBooks App Store can happen when a user terminates the QuickBooks OAuth connection within your application, or when a user terminates the QuickBooks OAuth connection from the QuickBooks App Store (see Section 2.3 of our technical requirements for more information). The user should be taken to a static page only when they disconnect from the app store. If the user disconnects within your app, they should remain in the app and the “Connect to QuickBooks” button should be visible.
- “Sign in with Intuit” is not rejecting new users with an unverified email address.
- Before triggering the OAuth flow for sign in, your app must check the emailVerified field in the OpenID user profile response. You should only grant user access to the app if emailVerified is true.
- Your app shouldn’t be connected to the QuickBooks App Store if your email account is unverified. See Step 6 in our documentation page Add OpenID Connect to OAuth 2.0 about getting user profile info.
- Display an error message to the customer that includes a link to sign in to their Intuit Account so they can verify their address on the “Sign in & security” page.
- “Get app now” isn’t going to the appropriate URL for apps that are enabled for Intuit Single Sign On.
- When the “Get app now” button is selected, the OAuth flow must be triggered. At this point the user should be redirected to the signup page, or your app should automatically provision users so they’ll be redirected to your application dashboard.
- “Connect to QuickBooks” isn’t changing to a disconnect button after a successful connection is established.
- Selecting “Connect to QuickBooks” should trigger the OAuth flow and establish the connection between QuickBooks and your app.
- After connecting, your app should be visible under the “My Apps” section of QuickBooks App Store.
- A “Disconnect” button or link to disconnect the connection between your app and QuickBooks should be displayed to the user inside your app. This should be located in the same place users “Connect to QuickBooks” within your application.
- For apps that don’t use Intuit Single Sign On, “Learn more” doesn’t lead to a page that explains how the app integrates with QuickBooks.
- The “Learn more” button should take users to a webpage with details about your app that include:
- A clear overview of what your app does and its key features.
- Step-by-step instructions on how to use the app effectively.
- Details on how the app seamlessly integrates with QuickBooks Online
- The “Learn more” button should take users to a webpage with details about your app that include:
Security review
Once the technical review has been completed, a security review will be initiated. During the security review, the team will look at a number of potential vulnerabilities listed here. Depending on the setup of each app, the review team may consider other vulnerabilities.
Following the initial security review, developers must remediate any critical, high, or medium priority issues included in the written security report from Intuit before their app can be listed on the QuickBooks App Store.
All apps listed on the QuickBooks App Store (and any app with over 500 connections) will be reviewed by Intuit on an annual basis, or more frequently at Intuit’s discretion, to ensure they continue to meet our security standards.
Here are some of the most common snags found during the security review process:
- There is a Stored Cross-Site Scripting (XSS) vulnerability.
- A Stored (XSS) vulnerability occurs when a web application stores a string provided by an attacker and later sends this data to a victim’s browser in such a way that the browser executes part of the string as code.
- Your app has a weak password policy.
- Your app doesn’t enforce a strong password policy to prevent malicious users from performing a brute-force attack on account passwords or manually guessing them.
- Our Password policy for Intuit Developer Services can be found here.
- Improper restriction of excessive authentication attempts.
- Your app hasn’t implemented checks to limit the number or speed of authentication attempts for a given user, allowing attackers to guess valid credentials through manual or automated brute force guessing.
- Your app is vulnerable to clickjacking.
- Your app can be vulnerable to clickjacking when it allows its content to be loaded inside a frame of an attacker-controlled webpage. Clickjacking targets state-changing operations an authenticated user can do on a web page by making the user unknowingly click on action elements within the vulnerable application while visiting another overlaid website.
- Your app has a weak SSL/TLS configuration.
- The server-side SSL/TLS endpoint is configured to allow weak SSL/TLS cipher suites. These cipher suites have proven cryptographic flaws that can allow an attacker to decrypt or modify traffic.
- The servers should be using the latest version of TLS. This is currently TLS 1.2 or higher. Use of TLS 1.3 is recommended for enhanced security.
- Be sure to review the App server configuration section of our security requirements to make sure you’ve covered everything.
- There are best-practice violations in file upload functionality
- Your app doesn’t prevent users from uploading malicious executable files or uploading archives containing malicious executable files. The app then makes these uploads accessible to other users who visit a URL that appears to be from a trusted source.
- Users are more likely to click on a link and download a file if it appears to be from a trusted source. This trust that users have for the affected web application can be used in phishing campaigns.
- There is sensitive data in the Query String Parameter
- Sensitive information is sent to the server via URL query string parameters. An attacker who gains access to any location where URLs are stored will be able to view sensitive information passed via the query string.
Marketing review
The final portion of the app review process to list your app in the QuickBooks App Store focuses on marketing. Our marketing review team looks at the content and links for each app card submitted. Since the content can be different for each country, the marketing review will look at each app card individually.
When you fill out your app card, we suggest you use the “Preview app card” button to make sure everything is right before you send it for review.
Here are the most common issues found during the marketing review process:
- Misspellings.
- Make sure you spell QuickBooks correctly and don’t abbreviate it to QB or QBO. QuickBooks is a trademark product name, and it should always be referenced correctly as “QuickBooks” or “QuickBooks Online”.
- Make sure you check your images or videos for misspellings as well.
- Be sure to review our naming and logo guidelines for this here.
- Using outdated or unapproved QuickBooks images.
- Make sure you’re using the latest QuickBooks logos.
- Your video and screenshots are blurry.
- Use the “Preview app card” option to make sure your video renders properly and screenshot images are at a high enough resolution to appear clearly on screens of varying sizes.
- A URL found under the App information section returns an error or isn’t relevant.
- Test all your URLs to make sure they’re working correctly and lead to relevant information.
- A URL under the App information section leads to a page requiring credentials.
- Make sure you provide publicly available URLs, including those for your company’s terms and conditions and privacy policy.
- There are references to companies in a similar market to the QuickBooks App Store in your video or screenshots.
- No currency type is shown for one or more items in the pricing section.
By understanding what to expect during the app review process and steering clear of these common pitfalls, you can help streamline the review process and boost your chances of a quick and positive approval to list your app in the QuickBooks App Store. Keep in mind that we’re looking for apps that meet our standards and also offer clear value to QuickBooks customers. With a bit of prep and a focus on quality, your app can get the Intuit stamp of approval so it can reach more people and help your business grow.