Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Code Push no longer allowed by Apple? #415

Closed
pke opened this issue Mar 13, 2017 · 5 comments
Closed

Code Push no longer allowed by Apple? #415

pke opened this issue Mar 13, 2017 · 5 comments
Assignees
Labels

Comments

@pke
Copy link

@pke pke commented Mar 13, 2017

Read this message in the Apple dev forums:

https://forums.developer.apple.com/thread/73640

And it states:

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.
This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.
Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review."

This pretty much describes what code-push code does. Any word from MS about that?

@max-mironov
Copy link
Contributor

@max-mironov max-mironov commented Mar 13, 2017

Hi @pke, seems that the rejections only affect apps that use native code update technologies, like Rollout and JSPatch.
Please see microsoft/react-native-code-push#748, microsoft/cordova-plugin-code-push#227 for more details.

@max-mironov
Copy link
Contributor

@max-mironov max-mironov commented Mar 22, 2017

@marcelaraujo thanks for sharing this. Also please see the latest thread in RN repo: facebook/react-native#13011. So seems that CodePush is not a culprit of the issue.

@max-mironov
Copy link
Contributor

@max-mironov max-mironov commented Mar 31, 2017

I'm closing the issue now as it turns out that code-push is valid for using with app store. Will reopen this one if any changes.

@dsernst
Copy link

@dsernst dsernst commented Apr 24, 2017

The Man-in-the-Middle attack is unfortunately still relevant. See #233 for discussion and #309 for WIP solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.