Content rights — images, fonts, music, and trademarks are licensed

ab-000433 · app-store-metadata-listing.review-submission.content-rights

Severity: highactive

Why it matters

Using unlicensed content — a commercially-licensed font TTF file distributed without a mobile app license, a stock photo with a watermark removed, background music without a synchronization license — violates copyright law (17 U.S.C. §501) and supply chain integrity (CWE-1357). App stores reject apps containing clearly infringing assets when detected during review, and rights holders can file DMCA takedowns post-publication that force removal within 24 hours. Commercial font licenses for desktop typically explicitly exclude app distribution; Proxima Nova, Gotham, and Helvetica Neue each require separate mobile licensing agreements costing hundreds to thousands of dollars annually.

Severity rationale

High because unlicensed assets expose the developer to copyright infringement claims, DMCA takedowns, and forced app removal — each of which disrupts active users.

Remediation

Audit every asset in assets/, src/assets/, and lib/assets/ before submission. Create a THIRD_PARTY_LICENSES.md at the repo root documenting each third-party asset:

# Find all font files in the project
find . -name '*.ttf' -o -name '*.otf' | sort
# Find all audio files
find . -name '*.mp3' -o -name '*.wav' -o -name '*.m4a' | sort

Replace commercial fonts with open-licensed equivalents: Google Fonts packages (@expo-google-fonts/*) use the Open Font License and are safe for app distribution. Replace stock photos with CC0-licensed images from Unsplash or Pexels (verify each image's specific license for commercial use). For icon libraries, use FontAwesome Free (SIL OFL + MIT) or Material Icons (Apache 2.0) rather than Pro icon sets without documented licenses.

Detection

ID: content-rights
Severity: high
What to look for: Scan the asset directories (assets/, src/assets/, images/, fonts/, audio/, lib/assets/) for content that may require licensing. Check: (a) Fonts: Look in assets/fonts/ for .ttf or .otf files. Cross-reference font filenames against known commercial fonts (e.g., Proxima Nova, Gotham, Futura, Helvetica Neue as a custom TTF file rather than a system font) — commercial fonts require purchase of a mobile/app distribution license, not just a desktop license. For Expo Google Fonts (@expo-google-fonts/*), these are licensed under the Open Font License and are safe to distribute. For react-native-vector-icons, check the specific icon set license (FontAwesome free vs. Pro). (b) Images and illustrations: Look for stock photo filenames (common patterns: shutterstock_, getty_, 123rf_, depositphotos_, numbered filenames like 1234567890.jpg that resemble stock library IDs). Check if LICENSES.md or THIRD_PARTY_LICENSES.md documents image sources. (c) Audio/Music: Look for .mp3, .wav, .aac, .m4a files in assets/. Music requires synchronization licensing for app distribution. (d) Trademarks in assets: Look for well-known logos, brand marks, or character artwork in the assets directory — using trademarked imagery without permission is a rejection cause. (e) Check package.json dependencies for icon library packages and verify their license terms. Count every third-party asset (fonts, images, audio, icons) in the project and enumerate each with its license type. Classify as properly licensed or needs review.
Pass criteria: A LICENSES.md or equivalent documents all third-party assets; or all detected assets are from clearly open/free sources (Google Fonts, SIL OFL licensed fonts, CC0/public domain images); or no third-party media assets are detected in the repository. At least 1 implementation must be confirmed.
Fail criteria: Commercial font TTF files present without any license documentation; stock photo filenames detected in assets directory; audio files present with no license documentation; trademarked logos or character artwork present as app assets.
Skip (N/A) when: The repository contains no media assets (no fonts, images, or audio files beyond framework defaults) — this is common for apps that load all assets from remote URLs.
Cross-reference: The icon-compliant check in Listing Content verifies the icon does not infringe on third-party trademarks, complementing this broader rights check.
Detail on fail: "assets/fonts/ProximaNova-Regular.ttf appears to be a commercial font with no license documentation in the repository" or "assets/images/shutterstock_1234567890.jpg filename pattern suggests an unlicensed stock photo".
Remediation: Using unlicensed assets is a copyright violation that can result in rejection and legal action.
1. Create a LICENSES.md file documenting every third-party font, image, and audio asset with its source and license
2. Replace commercial fonts with equivalent open-source fonts (Google Fonts, Adobe Fonts with appropriate license, or system fonts)
3. Replace stock photos with CC0-licensed images (Unsplash, Pexels — verify the specific license for commercial app use)
4. For icon libraries, use FontAwesome Free (SIL OFL + MIT) or Material Icons (Apache 2.0) rather than paid icon sets without license documentation
5. When using any brand's trademark in a third-party integration context, follow their trademark usage guidelines Document all third-party asset licenses in src/assets/LICENSES.md or a root THIRD_PARTY_LICENSES.md. Reference font licenses from src/assets/fonts/.

External references

cwe · CWE-1357 — Reliance on Insufficiently Trustworthy Component
spdx · spdx-license-list — SPDX License List — reference for open-source asset license classification

Taxons

supply-chain regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from app-store-metadata-listing·automated

Why it matters

Remediation

Audit every asset in assets/, src/assets/, and lib/assets/ before submission. Create a THIRD_PARTY_LICENSES.md at the repo root documenting each third-party asset:

# Find all font files in the project
find . -name '*.ttf' -o -name '*.otf' | sort
# Find all audio files
find . -name '*.mp3' -o -name '*.wav' -o -name '*.m4a' | sort

Detection

ID: content-rights
Severity: high
What to look for: Scan the asset directories (assets/, src/assets/, images/, fonts/, audio/, lib/assets/) for content that may require licensing. Check: (a) Fonts: Look in assets/fonts/ for .ttf or .otf files. Cross-reference font filenames against known commercial fonts (e.g., Proxima Nova, Gotham, Futura, Helvetica Neue as a custom TTF file rather than a system font) — commercial fonts require purchase of a mobile/app distribution license, not just a desktop license. For Expo Google Fonts (@expo-google-fonts/*), these are licensed under the Open Font License and are safe to distribute. For react-native-vector-icons, check the specific icon set license (FontAwesome free vs. Pro). (b) Images and illustrations: Look for stock photo filenames (common patterns: shutterstock_, getty_, 123rf_, depositphotos_, numbered filenames like 1234567890.jpg that resemble stock library IDs). Check if LICENSES.md or THIRD_PARTY_LICENSES.md documents image sources. (c) Audio/Music: Look for .mp3, .wav, .aac, .m4a files in assets/. Music requires synchronization licensing for app distribution. (d) Trademarks in assets: Look for well-known logos, brand marks, or character artwork in the assets directory — using trademarked imagery without permission is a rejection cause. (e) Check package.json dependencies for icon library packages and verify their license terms. Count every third-party asset (fonts, images, audio, icons) in the project and enumerate each with its license type. Classify as properly licensed or needs review.
Pass criteria: A LICENSES.md or equivalent documents all third-party assets; or all detected assets are from clearly open/free sources (Google Fonts, SIL OFL licensed fonts, CC0/public domain images); or no third-party media assets are detected in the repository. At least 1 implementation must be confirmed.
Fail criteria: Commercial font TTF files present without any license documentation; stock photo filenames detected in assets directory; audio files present with no license documentation; trademarked logos or character artwork present as app assets.
Skip (N/A) when: The repository contains no media assets (no fonts, images, or audio files beyond framework defaults) — this is common for apps that load all assets from remote URLs.
Cross-reference: The icon-compliant check in Listing Content verifies the icon does not infringe on third-party trademarks, complementing this broader rights check.
Detail on fail: "assets/fonts/ProximaNova-Regular.ttf appears to be a commercial font with no license documentation in the repository" or "assets/images/shutterstock_1234567890.jpg filename pattern suggests an unlicensed stock photo".
Remediation: Using unlicensed assets is a copyright violation that can result in rejection and legal action.
1. Create a LICENSES.md file documenting every third-party font, image, and audio asset with its source and license
2. Replace commercial fonts with equivalent open-source fonts (Google Fonts, Adobe Fonts with appropriate license, or system fonts)
3. Replace stock photos with CC0-licensed images (Unsplash, Pexels — verify the specific license for commercial app use)
4. For icon libraries, use FontAwesome Free (SIL OFL + MIT) or Material Icons (Apache 2.0) rather than paid icon sets without license documentation
5. When using any brand's trademark in a third-party integration context, follow their trademark usage guidelines Document all third-party asset licenses in src/assets/LICENSES.md or a root THIRD_PARTY_LICENSES.md. Reference font licenses from src/assets/fonts/.