开发者都收到了苹果2017年的新开发者审核协议更新通知。
2017年3月8…注意..是女神节这天。大量开发者收到了被拒绝 被警告的邮件,内容如下:
Dear Developer,
Your app, extension, and/or linked framework appears to contain code
designed explicitly with the capability to change your app’s behavior
or functionality after App Review approval, which is not in
compliance with section 3.3.2 of the Apple Developer Program License
Agreement and App Store Review Guideline 2.5.2. This code, combined
with a remote resource, can facilitate significant changes to your
app’s behavior compared to when it was initially reviewed for the App
Store. While you may not be using this functionality currently, it
has the potential to load private frameworks, private methods, and
enable future feature changes.
This includes any code which passes arbitrary parameters to dynamic
methods such as dlopen(), dlsym(), respondsToSelector:,
performSelector:, method_exchangeImplementations(), and running
remote scripts in order to change app behavior or call SPI, based on
the contents of the downloaded script. Even if the remote resource is
not intentionally malicious, it could easily be hijacked via a Man In
The Middle (MiTM) attack, which can pose a serious security
vulnerability to users of your app.
Please perform an in-depth review of your app and remove any code,
frameworks, or SDKs that fall in line with the functionality
described above before submitting the next update for your app for
review.
Best regards,
App Store Review
苹果审核协议中有这样一节:
Apple Developer Program License Agreement
3.3.2 An Application may not download or install executable code. Interpreted code may only be
used in an Application if all scripts, code and interpreters are packaged in the Application and not
downloaded. The only exception to the foregoing is scripts and code downloaded and run by Apple’s builtin WebKit framework, provided that such scripts and code do not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.
App Store Review Guideline
2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps.
随后JSPatch群里 ,github上都炸了锅 :https://github.com/bang590/JSPatch/issues/746
react-native 的情况:https://github.com/facebook/react-native/issues/12778
Weex ::https://github.com/alibaba/weex/issues/2875
为什么突然爆发
突然爆发并非偶然,苹果的审核指南一直明确,禁止下载可执行代码,虽然JSPatch等库使用了JavaScriptCore来巧妙的实现,但也不是长久之计,很多开发者不自觉的使用其来下发私有方法等等行为迟早会被苹果发现。也极大的威胁到了极其注重安全的苹果
再有就是一切涉及到网络的都会有安全的风险
还有一个有意思的事实,昨天VS2017发布,号称内置iOS模拟器,直接开发React Native:
总结下波及到的库
rollout,react native,weex,JSPatch,bugtags,个推 ,bugly with hotfix
为什么没使用热更新会收到邮件
个人认为苹果是批量扫描runtime并且群发的,苹果没办法批量检测remote script(远程脚本下载)
所以机智的检测热更新可能使用到的runtime方法,比如method_exchangeImplementations。这样基本全覆盖了那些使用热更新的APP。
警告”下载脚本代码且使用runtime方法实现的的APP”下一个版本改掉,如果不改。有可能被下架被拒绝上架。
JSPatch是”下载脚本代码且使用runtime”,并不是针对JSPatch一个库
rollout,react native,weex都会有这种提示。
bugtags ,个推 这种看似没有热更新的其实内部集成了JSPatch等库,也会提示。