App Store

Setting up and managing the Tomoda iOS app through App Store Connect (ASC). EAS handles binary uploads (see Native Release); this page covers everything else ASC requires — Apple Developer account, app record, signing, TestFlight, App Privacy, App Review, post-launch operations.

If you're shipping a code change, you don't need to touch this page — eas submit --platform ios does the upload. Read this page when you're setting up the app for the first time, managing TestFlight groups, updating App Store metadata, or navigating App Review.

1. Apple Developer Program

Mandatory for distributing any iOS app.

• Cost: US$99/year.
• Sign-up: https://developer.apple.com/programs/enroll/.
• Account type: Choose Organization (requires a D-U-N-S number — Apple provides a lookup tool during signup). Personal accounts can't publish under a company name.
• Identity verification:
  • D-U-N-S number for the legal entity (free; takes ~1 week if your company isn't already listed)
  • Legal-entity contact information matching the D-U-N-S record
  • Apple typically reviews enrollment within 24–48h once D-U-N-S clears
• Renewal: annual. Don't let it lapse — the app is removed from the store within days of expiration.

The signed-up Apple ID becomes the Account Holder. Add team members as you onboard engineers/designers (Account Holder → Users and Access → Add user).

2. App Store Connect — create the app record

Once enrolled in the Developer Program:

• ASC → My Apps → New App
• Platforms: iOS
• Name: Tomoda
• Primary language: English (U.S.)
• Bundle ID: com.tomoda.app (must exist in Certificates, Identifiers & Profiles first — Xcode/EAS sets this up the first time you build)
• SKU: internal identifier, never shown to users (tomoda-ios works)
• User access: Full Access by default

This creates the app record and a numeric ASC App ID. For Tomoda this is 6765908734 — already set in frontend/eas.json under submit.production.ios.ascAppId.

3. Signing & certificates

Apple's signing infrastructure is the complex part of iOS distribution. EAS Credentials manages it for us.

What EAS manages

• iOS Distribution Certificate — proves builds come from Tomoda's Apple Developer team
• App Store Provisioning Profile — pairs the certificate to the bundle ID for App Store distribution
• Push notification certificates — when push is added (not yet implemented; see backend → notifications)

First time you run eas build --profile production --platform ios, EAS walks through credential generation. It needs your Apple ID + the team's app-specific password (or, better, an App Store Connect API key — recommended).

Setting up ASC API key (recommended)

Avoids the password prompt on every CI run and isolates EAS access from your full Apple ID.

1. ASC → Users and Access → Keys → +
2. Name: "EAS Build" (or similar)
3. Access: App Manager (gives EAS what it needs without admin rights)
4. Download the .p8 file (one-time download — Apple does not let you re-download).
5. Note the Key ID and Issuer ID shown after creation.
6. Configure EAS: eas credentials -p ios → App Store Connect API key. Paste in Key ID, Issuer ID, upload the .p8.

EAS stores all of this encrypted in their backend. To back up:

eas credentials -p ios
# Choose production profile → Download

Store both the certificate .p12 and the API key .p8 in your team password manager.

Push notification certs revoke distribution certs

Apple's UI buries this — generating a new distribution certificate without revoking the old one is fine, but revoking a distribution certificate immediately invalidates every provisioning profile signed with it, which means any app shipped with that profile breaks on next launch. Read carefully before revoking anything in Certificates, Identifiers & Profiles.

4. App Store listing

Required before any public release. Required for TestFlight external testing too (internal is exempt).

Required text

Field	Limit	Notes
Name	30 chars	"Tomoda"
Subtitle	30 chars	One-line elevator pitch — e.g. "Find friends through shared moments"
Promotional text	170 chars	Above-the-fold blurb (can be updated without re-review)
Description	4000 chars	Marketing copy. Markdown not supported — plain text with line breaks.
Keywords	100 chars total (comma-separated)	Affects search ranking. Don't repeat words from the title — wasted space.
Support URL	URL	Public help page (https://tomoda.life/support or similar)
Marketing URL	URL (optional)	Product landing page
Privacy Policy URL	URL — required	Must be live and resolve to a real privacy policy

Required graphics

Asset	Spec	Notes
App icon	1024×1024 PNG, no transparency, no rounded corners	Apple rounds it. Don't pre-round.
6.7" iPhone screenshots	1290×2796 (portrait)	3–10 images required
6.5" iPhone screenshots	1242×2688 or 1284×2778	3–10 required if you support iPhone X-class displays
(Optional) 5.5" iPhone, iPad	older devices	Skip unless you specifically support them
(Optional) App Preview videos	15–30s, .mov/.m4v	High-effort, big lift in conversion

Apple no longer enforces uploading every device-size variant — you can scale a single screenshot set up to all devices in ASC. But the 6.7" set is mandatory.

Category and age rating

• Primary category: Social Networking
• Secondary category: Lifestyle (optional; helps surface in browse)
• Age rating: complete the questionnaire under App Information → Age Rating. Tomoda will land at 17+ because of:
  • Unrestricted web access (link previews, embedded content)
  • User-generated content
  • Frequent/intense mature/suggestive themes (selectable based on actual content policy)

5. App Privacy

Under App Privacy (a separate ASC section, mandatory). Walk through the questionnaire — Apple's labels appear on the App Store listing and are scrutinized.

Tomoda's accurate answers based on current product:

Data type	Collected?	Linked to user?	Tracking?
Contact info (name, email, phone)	Yes	Yes	No
User content (messages, photos, posts)	Yes	Yes	No
Location (precise)	Yes	Yes	No
Identifiers (user ID, device ID)	Yes	Yes	No
Usage data (product interactions)	Yes	Yes	No
Diagnostics (crashes, performance)	Yes	No (anonymized)	No
Financial info	Yes (via Stripe — they hold the card data, not us)	No	No

"Tracking" in Apple's sense means tracking the user across other apps/websites for advertising. Tomoda doesn't do this — answer No for everything.

Keep this in sync with the privacy policy. When you add a new data type, update both.

6. TestFlight

Apple's beta distribution channel. Two flavors:

Type	Audience	Approval needed
Internal testing	Up to 100 testers with Apple ID + ASC role	No review — instant availability
External testing	Up to 10,000 testers	First build per version requires beta review (typically 24h)

Internal testers must be added as users in ASC → Users and Access first. They install TestFlight from the App Store, sign in with the same Apple ID, and the build appears.

External testers can be invited by email or by a public link. They don't need an ASC account. Each cohort can be configured separately (e.g. "Designers", "Friends and family", "Public Beta").

Set up your first internal group before the first EAS submission so the build has somewhere to land.

7. App Review

Apple reviews every release before it goes to the App Store. Plan for:

• Time: typically 24–48h. First submission can take longer; complex reviews (financial flows, health data, kids' apps) longer still.
• Common rejection reasons:
  • Guideline 4.0 — Design: copying iOS UI patterns inconsistently (e.g. custom share sheet that looks like the system one but behaves differently)
  • Guideline 5.1.1 — Data Collection and Storage: privacy disclosure mismatch with what the app actually does
  • Guideline 1.1.6 — False Information: claims in the description that don't match the app's behavior
  • Sign in with Apple required: if you offer third-party login (Google, etc.), you must also offer Sign in with Apple, prominently
  • Crashes during review: if review can't get past a sign-up flow, the app gets rejected — keep the demo account credentials populated in App Review Information
• Demo account: required in App Review Information for any app behind a login. Use a test account dedicated to App Review — not a real user account.

Speeding up review

• Submit during weekdays, US morning Pacific time.
• Request expedited review only for security fixes or actual production incidents. Apple grants ~1–2/year per developer; spend them carefully.
• Pre-empt rejections by reading the most recent guidelines update before submitting.

8. Submit via EAS

cd frontend
eas submit --profile production --platform ios

EAS picks up the most recent EAS-built .ipa, uploads to ASC, which makes it available in TestFlight. From there:

1. ASC → TestFlight → add the build to your internal group → install via TestFlight app on device.
2. Once happy, ASC → App Store → 1.0 Prepare for Submission → select the build → fill remaining metadata → Submit for Review.

The build moves from TestFlight to a "Waiting for Review" state. Approved builds release on the next manual "Release this version" tap (or scheduled date).

9. Post-release operations

• Crash reports: ASC → Analytics → Crashes shows crashes for users who opted in (~70% of users). Symbolicated automatically when dSYMs are uploaded — EAS uploads them by default.
• App Store ratings & reviews: respond promptly. Apple's "developer response" feature is public.
• Phased release: new releases roll out over 7 days by default. Toggle in ASC if you want immediate full release (small fixes) or want to halt rollout (regression detected).
• App removal: if you ever need to pull the app, ASC → "Remove from Sale" instantly hides from the store. Existing installs are unaffected.

10. Useful references

• App Store Connect Help
• App Store Review Guidelines
• Apple Developer Program
• EAS submit docs (iOS)

See also

• Native Release — the EAS Build/Submit cross-platform workflow
• Play Store — parallel page for Google Play Console
• Local development — Xcode + Simulator basics