Apple的警告邮件

[coderyi]

今天收到Apple的警告邮件。
应用中使用了Weex

• 是否和Weex有关？
• 如果有关请问是否有解决方案。
• 其它开发者最近有收到类似邮件的话，也请分享一下。

苹果相关规则，https://developer.apple.com/terms/

Dear Developer,

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review

[axl411]

@coderyi 是否是只使用了 Weex？有使用 JSPatch、RN 或其他已知符合警告中描述行为的 code 吗？

我们的应用是 JSPatch+Weex

[coderyi]

@axl411 使用了JSPatch，Weex，代码都是远端下发的，不知道怎么解决

[Jinjiang]

我们在保持关注，暂不能断定

[fighting300]

大部分应用一般都混合使用比如 rn jspatch 或者 weex jspatch

[cxfeng1-zz]

跟进中，收到警告的同学也检查下是否有使用类似JSPatch的动态部署方案， 目前Weex Playground(只使用了Weex的App)还没有收到警告。

[coderyi]

只有下发weex代码才会收警告，本地执行是不会的。
2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps.

3.3.2 Except as set forth in the next paragraph, an Application may not download or install
executable code. Interpreted code may only be used in an Application if all scripts, code and
interpreters are packaged in the Application and not downloaded. The only exceptions to the
foregoing are scripts and code downloaded and run by Apple's built-in WebKit framework or
JavascriptCore, provided that such scripts and code do not change the primary purpose of the
Application by providing features or functionality that are inconsistent with the intended and
advertised purpose of the Application as submitted to the App Store.
For macOS Applications submitted to Apple for distribution on the App Store, an Application may
install or run interpreted or executable code (e.g., plug-ins and extensions) for use in conjunction
with the Application only so long as such code: (a) does not change the Application's submitted
binary or would not otherwise be considered an update (as determined in Apple’s sole discretion);
and (b) does not change the primary purpose of the Application by providing features or
functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.

[totzcc]

mark

[shaojiankui]

http://www.skyfox.org/apple-2017-hot-patch.html

[fighting300]

facebook/react-native#12778

[geteng]

mark

[zhangyanan151]

mark

[zhaiyuyong]

不要玩Weex 快加入饿了么大数据玩spark吧

[tuoxie007]

应该不是技术本身的问题，是使用上尺度太大，审核前后功能差异太大引起的

[luoei]

[Huang-Libo]

淘宝 APP 不是大量使用了 weex 吗, 难道要全换成原生的?

[tuoxie007]

苹果听说iOS开发没人要了，来拯救我们的

[UranusCEO]

按现在的情况是 JPatch 和 Rollout.io 的用户收到影响~ 感觉和Weex 没大有关系~

[foxsofter]

- (void)garbageCollect
{
    char str[80];
    strcpy(str, "JSSynchron");
    strcat(str, "ousGarbageColl");
    strcat(str, "ectForDebugging");
    WXJSCGarbageCollect garbageCollect = dlsym(RTLD_DEFAULT, str);
    
    if (garbageCollect != NULL) {
        garbageCollect(_jsContext.JSGlobalContextRef);
    }
}

[loyep]

mark

[yuyichen]

RN的这种模式应该是技术发展的趋势吧,苹果也有自己的顾虑,
估计后期二者会有个平衡的过程

[ghost]

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.
就是说不会立即下线了,不过下次更新要处理掉.
神阿!怎么弄?
建了群大家讨论一下
QQ群
进群需要验证,答案:热更新

微信群

[gaoyuqi]

如果只是用本地的js+weex呢？ 或者weex源码里面去掉相关敏感api呢？ 希望官方这边帮忙多研究研究，谢谢。

[dcais]

淘宝app广泛运用的weex，要禁掉岂不是炸锅了

[zjuwjf]

没有使用js-patch, bug-tags, 个推等, 使用了weex, 刚刚收到警告邮件.
希望weex团队关注下.

发现警告是对上个版本的, 上个版本有js-Patch, 所以目前具体原因还不明确.

[luoei]

@zjutyujf 项目中有使用weex，如果也撤掉的话，那么工作量不可小。

[ghost]

总结一下我们微信和QQ群里目前讨论出来的一些情况:
1、只要不用热更新，应该和weex、rn这些无关，群里有只用weex、rn，没有启用热更新，审核通过的例子；
2、除了直接使用jspatch，由于使用了第三方sdk而间接引入jspatch的情况也会被拒，目前发现的有个推、高德、bugtags，个推提供了新的临时sdk，群里已经有人审核通过了,据说今天会提供正式的sdk。其它的sdk，大家可以通过使用 nm /path/to/executable_filepath | grep "JSPatch" 进行排查。
3、有人猜测是否因为代码中使用了dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations()这些方法。
4、jspatch官方的解决方案

我们的群地址如下，请入群同学自觉，不要讨论非技术话题。

[yfldj]

@cxfeng1 请问weex Playground目前没有收到警告是吗？是否可以继续使用weex啊？好虚～weex官方是否有回应？

[yfldj]

@leansail weex可以直接访问服务器的js，请问这样算是启用热更新吗？

[ghost]

@yfldj 我们群里对于weex，目前还没有结论，我对比了weex百度指数一周前的百度指数，发现是上升的，相比react native在8、9、10三天都是上升的，但是11号以后就下降了，同时我们群里也有人陆续说rn没开热更新审核过了，所以我推测11号之后大家都确认了rn没事儿，但是目前还不确定weex有没有事儿，所以还是搜索热点。

[cxfeng1-zz]

统一回复下:

• Weex 在机制上只是将一些既定的 Native 功能通过 iOS 内置的 JavascriptCore 暴露给 JS， 它无法动态改变 Swift 或者 OC 代码， 也无法动态去访问系统的私有API
• 最近一周已经有很多 App 带着 Weex 通过审核，目前没有发现单独因为集成 Weex 审核被拒的， 请大家放心使用

[slowsay]

警告，估计是你们的app与审核时的一些图界面，差异过大，引起，如：做一个资讯的，突然改成了一个游戏的，能不警告？

[931743010]

@cxfeng1 调用本地的jsbundl来进行渲染审核没问题 ；但是调用服务器端端jsbundle 来进行渲染 会审核通过吗？

[yfldj]

@cxfeng1 @931743010 同问