Apps must meet these requirements before they will be published.
Apps published on the QuickBooks app store must not only meet these requirements at the time of publication, but continuously after publishing. In addition, apps not published on the app store must meet these requirements if they exceed 500 connections. Intuit checks all apps annually to ensure that they still meet the technical and security standards required.
The average estimated time it should take for your app to complete security review is about 7 days. This can vary if issues are found in your app during the review process.
App server configuration
These steps help you verify that your server’s configuration will pass the security review.
During the security test, Intuit will ensure that your app is secure against the following vulnerabilities. Ensure that you test it accordingly and resolve any issues prior to submitting your app for approval.
QuickBooks data usage
These tests verify that your app meets Intuit’s requirements for handling QuickBooks data.
Verify that your app meets these requirements regarding how it handles and stores cookies.
OAuth token management
Verify that your app meets these requirements for OAuth token management.
In addition to the above requirements, refer to these best practices for handling OAuth 2.0 tokens within your app.
Protect sensitive information
Web application endpoints that receive sensitive customer information and/or authentication tokens in URL parameters must not return HTML content via an HTTP Response Body. This is to prevent sensitive customer information from being accidentally leaked to 3rd parties in the subsequent HTTP Referer request headers. Instead, the web application endpoints should implement a 302 Found redirect. This is particularly important when application end points are handling authentication tokens.