Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apple警告邮件 #746

Closed
kunwang0916 opened this issue Mar 7, 2017 · 620 comments
Closed

Apple警告邮件 #746

kunwang0916 opened this issue Mar 7, 2017 · 620 comments

Comments

@kunwang0916
Copy link

kunwang0916 commented Mar 7, 2017

统一回复:关于苹果警告 http://blog.cnbang.net/internet/3374/

@bang590 的回复


今天收到Apple的警告邮件。
应用中使用了JSPatch一段时间了,之前的版本是没有问题的。
而且这个通知邮件也不是在提交更新版本审核过程中收到,而是苹果主动发出的。

Dear Developer,

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review


no-mark

unsubscribe

@yudun1989
Copy link

yudun1989 commented Mar 7, 2017

同样收到警告邮件。
建议不着急上架的先等一下,等先遣部队先踩一下坑。。。

@wealon
Copy link

wealon commented Mar 8, 2017

我也收到了同样的邮件

@devjiangzhou
Copy link

@bang590 微信读书收到没?

@TT-usr
Copy link

TT-usr commented Mar 8, 2017

同收到了

@SolaWing
Copy link

SolaWing commented Mar 8, 2017

同样收到了...

@totzcc
Copy link

totzcc commented Mar 8, 2017

+1

@wealon
Copy link

wealon commented Mar 8, 2017

昨天发现在appstore 搜索不到了,但是没有下架,今天收到苹果的警告邮件,内容和楼上的一样

@iPermanent
Copy link

并没有收到啊,难道我是假开发者账号?

@Channe
Copy link

Channe commented Mar 8, 2017

我刚刚收到了这样的邮件

@dingyusong
Copy link

早上收到了同样的邮件

@MrLiuYS
Copy link

MrLiuYS commented Mar 8, 2017

没有收到啊,项目中用到的都只是修改一些小bug.
是不是做大幅度改动的.才会收到?

@hujian
Copy link

hujian commented Mar 8, 2017

早上同样收到了这样的邮件

@zhudaye12138
Copy link

占个楼,关注一下

@shaveKevin
Copy link

关注,静待回复

@daemonchen
Copy link

为什么突然又禁止了~~

@poboke
Copy link

poboke commented Mar 8, 2017

关注

@applejian
Copy link

会不会是使用过度了呀 我们一般都一个月一个版本 暂时还没收到这个邮件

@wuyifan
Copy link

wuyifan commented Mar 8, 2017

同样收到邮件,关注

@393698063
Copy link

有解决方法吗?

@applejian
Copy link

大家都用的哪种方式集成的 我用的是外接自己的服务器这种

@rainysweet
Copy link

暂时都只是收到警告,应用还没有下架,你们都下架整改了么?

@ghost
Copy link

ghost commented Mar 8, 2017

me too

@hujian
Copy link

hujian commented Mar 8, 2017

@rainysweet 只是警告,没有下架,暂时还能搜到

@robert1202
Copy link

暂时没有收到,难道苹果要禁止热修复了么?

@KlausLiu
Copy link

KlausLiu commented Mar 8, 2017

我们有4-5款APP都用了,目前没收到邮件,也能搜到。
问个问题:收到邮件的同学,你们的App是仅仅用JSPatch做补丁修复?还是直接用JSPatch做了一些模块功能?

@Toothpick2012
Copy link

淘宝咋办

@MrLiuYS
Copy link

MrLiuYS commented Mar 8, 2017

收到的是用jspatch开发功能? 还是修改bug啊?

@xingxingc
Copy link

我也收到了邮件,在JPEngine.m中确实能够找到邮件中提到的那些方法

@monycn
Copy link

monycn commented Mar 8, 2017

没有收到邮件的,到你们的https://itunesconnect.apple.com/ 看一下,说不定有不一样的收获

@vedon
Copy link

vedon commented Mar 8, 2017

什么方法,截图看看?参考一下

@hirat
Copy link

hirat commented Mar 8, 2017

项目里边用到了个推,正在等他们的临时SDK,好了之后试一下上传会不会被拒

@ningj123
Copy link

ningj123 commented Mar 8, 2017

IOS React-Native ,我们会讨论一些diff差分更新,以及一些创业伙伴们,欢迎交流
yuniergong_1488967522212_82

@greezi
Copy link

greezi commented Mar 8, 2017

等了一天了还没收到警告⚠️,好期待啊~

@juvham
Copy link

juvham commented Mar 8, 2017

拯救了50W将要失业的 iOS开发人员

@AxeMea
Copy link

AxeMea commented Mar 8, 2017

围观,凑个 600 。

@qhd
Copy link

qhd commented Mar 8, 2017

JSPatch、react-native、weex、收到邮件警告的加入QQ群:92362912讨论和分享处理方案
260

@Gshocking
Copy link

围观事态发展

@iHTCboy
Copy link

iHTCboy commented Mar 8, 2017

给苹果提问:(等待回复)
1、我们游戏包括远程下载资源包,这个功能是不允许吗?
2、是否不允许使用JSPatch或Rollout.js、React Native、Weex等框架?
3、“section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. ” 用了runtime和jscontext是否允许?
4、AFN和SDWedImage等部分包括 such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(),但是没有远程更新,这样能否使用?
5、第三方SDK,比如统计分析、crash收集、以及性能分析等,我们怎么检查他们有没有使用非法的方法?
6、具体我们应该怎么做,我们还有点迷茫,可以告诉我们详细方法吗?

@Cologler
Copy link

Cologler commented Mar 8, 2017

回复“加一”、“+1”、“同样收到”的小伙伴们会不会点楼主左下角的加一符号?
回复“围观”、“mark”或调侃 Apple 的小伙伴们能不能只是点击右边的 Subscribe 按钮然后乖乖闭嘴?
你们理解邮箱收到一堆这种垃圾邮件的感受吗?

我借机 block 了一大波缺德人士。
@sleepywk 可以把这话润色一下挂在贴首了。

@Gshocking
Copy link

Gshocking commented Mar 9, 2017 via email

@sysoft
Copy link

sysoft commented Mar 9, 2017

为什么这个Issue还不关闭,大多数评论都是对问题毫无意义的

@haibinyu
Copy link

haibinyu commented Mar 9, 2017

很多人太无聊了,取关!看看react native下面相关问题的回复,再看看这个,差距太大了。

@xiemotongye
Copy link

今天早上接到了美国苹果电话,点名要求删除JSPatch,看来就是JSPatch的原因

@ghost
Copy link

ghost commented Mar 9, 2017

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.
就是说不会立即下线了,不过下次更新要处理掉.
神阿!怎么弄?
建了群大家讨论一下
QQ群
进群需要验证,答案:热更新
apple

微信群
apple

@kinghudi
Copy link

kinghudi commented Mar 9, 2017

我也收到了 有人知道如果上线的app 不做更新了 会被强制下线吗

@bang590
Copy link
Owner

bang590 commented Mar 9, 2017

统一回复:关于苹果警告 http://blog.cnbang.net/internet/3374/
此贴关闭

@bang590 bang590 closed this as completed Mar 9, 2017
@lovecn
Copy link

lovecn commented Mar 9, 2017

围观

@yeshibuzhong
Copy link

莫名其妙的收到了邮件+1

@vagase
Copy link

vagase commented Mar 10, 2017

最新进展

我给苹果写信问了具体原因,得到的回复如下:

The code referenced in our initial rejection message includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. The Objective-C methods respondsToSelector: and performSelector: are still supported and allowed. For example, they can be used to check OS compatibilty before using a selector. However, you should only pass selectors to these methods, which are specified at compile time. If you think you are using static selectors, it’s possible a third-party framework you’ve added to your app is not in compliance.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review

@SkateHuang
Copy link

收到邮件还以为苹果开发者账号这么快就过期了?原来是要接受这些新协议。
85746df1f4fdd82cd5d46bc97b2c4de3

@simcyber
Copy link

收到,会不会强制下架啊?

@Tyrant2013
Copy link

我们也收到了,不过我们并没有使用任何热更新方案,也没有用到JSCore,不过倒是用到几个邮件里面提到的API,这算是误报了吧?有没有一样的啊?

@woshiqyb
Copy link

对于警告邮件中提到的一些api,Apple说不能随意传递任意参数,对于参数,要在编译期间就能够确定。那么对于AFNetworkding的代码:

for (NSString *keyPath in AFHTTPRequestSerializerObservedKeyPaths()) {
if ([self respondsToSelector:NSSelectorFromString(keyPath)]) {
[self addObserver:self forKeyPath:keyPath options:NSKeyValueObservingOptionNew context:AFHTTPRequestSerializerObserverContext];
}
}
这段应该不是在编译期间就能确定的吧?难道这个也是不合规的?

@heroims
Copy link

heroims commented Mar 10, 2017

估计是看量,我代码里用类似形式多的被警告了,另一个用的少没被警告 @woshiqyb ,被警告的里面没有任何第三方和JSPatch,没警告的里面JSPatch混淆了没用太多高级语法,但能动态改页面。现在懵逼了,完全想不到怎么改,正想怎么做套混淆,合着写的高级点被警告,low的一逼全js写外面简单混淆就没事太扯了

@IMKiller
Copy link

提交被拒了

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. The Objective-C methods respondsToSelector: and performSelector: are still supported and allowed. For example, they can be used to check OS compatibilty before using a selector. However, you should only pass selectors to these methods, which are specified at compile time. If you think you are using static selectors, it’s possible a third-party framework you’ve added to your app is not in compliance. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review

@ghost
Copy link

ghost commented Mar 13, 2017

总结一下我们微信和QQ群里目前讨论出来的一些情况:
1、只要不用热更新,应该和weex、rn这些无关,群里有只用weex、rn,没有启用热更新,审核通过的例子;
2、除了直接使用jspatch,由于使用了第三方sdk而间接引入jspatch的情况也会被拒,目前发现的有个推、高德、bugtags,个推提供了新的临时sdk,群里已经有人审核通过了,据说今天会提供正式的sdk。其它的sdk,大家可以通过使用 nm /path/to/executable_filepath | grep "JSPatch" 进行排查。
3、有人猜测是否因为代码中使用了dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations()这些方法。
4、jspatch官方的解决方案

我们的群地址如下,请入群同学自觉,不要讨论非技术话题。

apple both

@yaonuo
Copy link

yaonuo commented Mar 18, 2017

被拒了一次(仅仅注释了个推1.4.3的代码,没有删除Pods的引用)后,今天审核通过了。换了新的个推SDK1.6.2.0,就通过了。
期间排查过method_exchangeImplementations,和,JavaScriptCore.framework,和respondsToSelector等等,发现只要是没有用这些函数或库去做热更新的事情,就不会被拒的。(比如,MJExtension里用了JavaScriptCore的函数,但是仅仅处理数据格式的操作,是不会被拒的。)

@adreamy
Copy link

adreamy commented Mar 18, 2017

个推已经推出最新的SDK 可以通过审核 目前已经审核通过

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests