New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apple的警告邮件 #2875

Closed
coderyi opened this Issue Mar 8, 2017 · 33 comments

Comments

Projects
None yet
@coderyi

coderyi commented Mar 8, 2017

今天收到Apple的警告邮件。
应用中使用了Weex

  • 是否和Weex有关?
  • 如果有关请问是否有解决方案。
  • 其它开发者最近有收到类似邮件的话,也请分享一下。

苹果相关规则,https://developer.apple.com/terms/

Dear Developer,

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review

@axl411

This comment has been minimized.

Show comment
Hide comment
@axl411

axl411 Mar 8, 2017

@coderyi 是否是只使用了 Weex?有使用 JSPatch、RN 或其他已知符合警告中描述行为的 code 吗?

我们的应用是 JSPatch+Weex

axl411 commented Mar 8, 2017

@coderyi 是否是只使用了 Weex?有使用 JSPatch、RN 或其他已知符合警告中描述行为的 code 吗?

我们的应用是 JSPatch+Weex

@coderyi

This comment has been minimized.

Show comment
Hide comment
@coderyi

coderyi Mar 8, 2017

@axl411 使用了JSPatch,Weex,代码都是远端下发的,不知道怎么解决

coderyi commented Mar 8, 2017

@axl411 使用了JSPatch,Weex,代码都是远端下发的,不知道怎么解决

@Jinjiang

This comment has been minimized.

Show comment
Hide comment
@Jinjiang

Jinjiang Mar 8, 2017

Contributor

我们在保持关注,暂不能断定

Contributor

Jinjiang commented Mar 8, 2017

我们在保持关注,暂不能断定

@fighting300

This comment has been minimized.

Show comment
Hide comment
@fighting300

fighting300 Mar 8, 2017

大部分应用一般都混合使用比如 rn jspatch 或者 weex jspatch

大部分应用一般都混合使用比如 rn jspatch 或者 weex jspatch

@cxfeng1

This comment has been minimized.

Show comment
Hide comment
@cxfeng1

cxfeng1 Mar 8, 2017

跟进中,收到警告的同学也检查下是否有使用类似JSPatch的动态部署方案, 目前Weex Playground(只使用了Weex的App)还没有收到警告。

cxfeng1 commented Mar 8, 2017

跟进中,收到警告的同学也检查下是否有使用类似JSPatch的动态部署方案, 目前Weex Playground(只使用了Weex的App)还没有收到警告。

@coderyi

This comment has been minimized.

Show comment
Hide comment
@coderyi

coderyi Mar 8, 2017

只有下发weex代码才会收警告,本地执行是不会的。
2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps.

3.3.2 Except as set forth in the next paragraph, an Application may not download or install
executable code. Interpreted code may only be used in an Application if all scripts, code and
interpreters are packaged in the Application and not downloaded. The only exceptions to the
foregoing are scripts and code downloaded and run by Apple's built-in WebKit framework or
JavascriptCore, provided that such scripts and code do not change the primary purpose of the
Application by providing features or functionality that are inconsistent with the intended and
advertised purpose of the Application as submitted to the App Store.
For macOS Applications submitted to Apple for distribution on the App Store, an Application may
install or run interpreted or executable code (e.g., plug-ins and extensions) for use in conjunction
with the Application only so long as such code: (a) does not change the Application's submitted
binary or would not otherwise be considered an update (as determined in Apple’s sole discretion);
and (b) does not change the primary purpose of the Application by providing features or
functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.

coderyi commented Mar 8, 2017

只有下发weex代码才会收警告,本地执行是不会的。
2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps.

3.3.2 Except as set forth in the next paragraph, an Application may not download or install
executable code. Interpreted code may only be used in an Application if all scripts, code and
interpreters are packaged in the Application and not downloaded. The only exceptions to the
foregoing are scripts and code downloaded and run by Apple's built-in WebKit framework or
JavascriptCore, provided that such scripts and code do not change the primary purpose of the
Application by providing features or functionality that are inconsistent with the intended and
advertised purpose of the Application as submitted to the App Store.
For macOS Applications submitted to Apple for distribution on the App Store, an Application may
install or run interpreted or executable code (e.g., plug-ins and extensions) for use in conjunction
with the Application only so long as such code: (a) does not change the Application's submitted
binary or would not otherwise be considered an update (as determined in Apple’s sole discretion);
and (b) does not change the primary purpose of the Application by providing features or
functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.

@totzcc

This comment has been minimized.

Show comment
Hide comment

totzcc commented Mar 8, 2017

mark

@fighting300

This comment has been minimized.

Show comment
Hide comment
@geteng

This comment has been minimized.

Show comment
Hide comment

geteng commented Mar 8, 2017

mark

@zhangyanan151

This comment has been minimized.

Show comment
Hide comment

mark

@zhaiyuyong

This comment has been minimized.

Show comment
Hide comment
@zhaiyuyong

zhaiyuyong Mar 8, 2017

不要玩Weex 快加入饿了么大数据玩spark吧

不要玩Weex 快加入饿了么大数据玩spark吧

@tuoxie007

This comment has been minimized.

Show comment
Hide comment
@tuoxie007

tuoxie007 Mar 8, 2017

应该不是技术本身的问题,是使用上尺度太大,审核前后功能差异太大引起的

应该不是技术本身的问题,是使用上尺度太大,审核前后功能差异太大引起的

@xispower

This comment has been minimized.

Show comment
Hide comment

xispower commented Mar 8, 2017

a

@Huang-Libo

This comment has been minimized.

Show comment
Hide comment
@Huang-Libo

Huang-Libo Mar 8, 2017

淘宝 APP 不是大量使用了 weex 吗, 难道要全换成原生的?

淘宝 APP 不是大量使用了 weex 吗, 难道要全换成原生的?

@tuoxie007

This comment has been minimized.

Show comment
Hide comment
@tuoxie007

tuoxie007 Mar 8, 2017

苹果听说iOS开发没人要了,来拯救我们的

苹果听说iOS开发没人要了,来拯救我们的

@UranusCEO

This comment has been minimized.

Show comment
Hide comment
@UranusCEO

UranusCEO Mar 8, 2017

按现在的情况是 JPatch 和 Rollout.io 的用户收到影响~ 感觉和Weex 没大有关系~

按现在的情况是 JPatch 和 Rollout.io 的用户收到影响~ 感觉和Weex 没大有关系~

@foxsofter

This comment has been minimized.

Show comment
Hide comment
@foxsofter

foxsofter Mar 8, 2017

- (void)garbageCollect
{
    char str[80];
    strcpy(str, "JSSynchron");
    strcat(str, "ousGarbageColl");
    strcat(str, "ectForDebugging");
    WXJSCGarbageCollect garbageCollect = dlsym(RTLD_DEFAULT, str);
    
    if (garbageCollect != NULL) {
        garbageCollect(_jsContext.JSGlobalContextRef);
    }
}
- (void)garbageCollect
{
    char str[80];
    strcpy(str, "JSSynchron");
    strcat(str, "ousGarbageColl");
    strcat(str, "ectForDebugging");
    WXJSCGarbageCollect garbageCollect = dlsym(RTLD_DEFAULT, str);
    
    if (garbageCollect != NULL) {
        garbageCollect(_jsContext.JSGlobalContextRef);
    }
}
@cofv

This comment has been minimized.

Show comment
Hide comment

cofv commented Mar 8, 2017

mark

@yuyichen

This comment has been minimized.

Show comment
Hide comment
@yuyichen

yuyichen Mar 9, 2017

RN的这种模式应该是技术发展的趋势吧,苹果也有自己的顾虑,
估计后期二者会有个平衡的过程

yuyichen commented Mar 9, 2017

RN的这种模式应该是技术发展的趋势吧,苹果也有自己的顾虑,
估计后期二者会有个平衡的过程

@leansail

This comment has been minimized.

Show comment
Hide comment
@leansail

leansail Mar 9, 2017

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.
就是说不会立即下线了,不过下次更新要处理掉.
神阿!怎么弄?
建了群大家讨论一下
QQ群
进群需要验证,答案:热更新
apple

微信群
apple

leansail commented Mar 9, 2017

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.
就是说不会立即下线了,不过下次更新要处理掉.
神阿!怎么弄?
建了群大家讨论一下
QQ群
进群需要验证,答案:热更新
apple

微信群
apple

@gaoyuqi

This comment has been minimized.

Show comment
Hide comment
@gaoyuqi

gaoyuqi Mar 9, 2017

如果只是用本地的js+weex呢? 或者weex源码里面去掉相关敏感api呢? 希望官方这边帮忙多研究研究,谢谢。

gaoyuqi commented Mar 9, 2017

如果只是用本地的js+weex呢? 或者weex源码里面去掉相关敏感api呢? 希望官方这边帮忙多研究研究,谢谢。

@davidcai19840412

This comment has been minimized.

Show comment
Hide comment
@davidcai19840412

davidcai19840412 Mar 10, 2017

淘宝app广泛运用的weex,要禁掉岂不是炸锅了

淘宝app广泛运用的weex,要禁掉岂不是炸锅了

@zjuwjf

This comment has been minimized.

Show comment
Hide comment
@zjuwjf

zjuwjf Mar 10, 2017

没有使用js-patch, bug-tags, 个推等, 使用了weex, 刚刚收到警告邮件.
希望weex团队关注下.

发现警告是对上个版本的, 上个版本有js-Patch, 所以目前具体原因还不明确.

zjuwjf commented Mar 10, 2017

没有使用js-patch, bug-tags, 个推等, 使用了weex, 刚刚收到警告邮件.
希望weex团队关注下.

发现警告是对上个版本的, 上个版本有js-Patch, 所以目前具体原因还不明确.

@xispower

This comment has been minimized.

Show comment
Hide comment
@xispower

xispower Mar 10, 2017

@zjutyujf 项目中有使用weex,如果也撤掉的话,那么工作量不可小。

@zjutyujf 项目中有使用weex,如果也撤掉的话,那么工作量不可小。

@leansail

This comment has been minimized.

Show comment
Hide comment
@leansail

leansail Mar 13, 2017

总结一下我们微信和QQ群里目前讨论出来的一些情况:
1、只要不用热更新,应该和weex、rn这些无关,群里有只用weex、rn,没有启用热更新,审核通过的例子;
2、除了直接使用jspatch,由于使用了第三方sdk而间接引入jspatch的情况也会被拒,目前发现的有个推、高德、bugtags,个推提供了新的临时sdk,群里已经有人审核通过了,据说今天会提供正式的sdk。其它的sdk,大家可以通过使用 nm /path/to/executable_filepath | grep "JSPatch" 进行排查。
3、有人猜测是否因为代码中使用了dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations()这些方法。
4、jspatch官方的解决方案

我们的群地址如下,请入群同学自觉,不要讨论非技术话题。

apple both

leansail commented Mar 13, 2017

总结一下我们微信和QQ群里目前讨论出来的一些情况:
1、只要不用热更新,应该和weex、rn这些无关,群里有只用weex、rn,没有启用热更新,审核通过的例子;
2、除了直接使用jspatch,由于使用了第三方sdk而间接引入jspatch的情况也会被拒,目前发现的有个推、高德、bugtags,个推提供了新的临时sdk,群里已经有人审核通过了,据说今天会提供正式的sdk。其它的sdk,大家可以通过使用 nm /path/to/executable_filepath | grep "JSPatch" 进行排查。
3、有人猜测是否因为代码中使用了dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations()这些方法。
4、jspatch官方的解决方案

我们的群地址如下,请入群同学自觉,不要讨论非技术话题。

apple both

@yfldj

This comment has been minimized.

Show comment
Hide comment
@yfldj

yfldj Mar 13, 2017

@cxfeng1 请问weex Playground目前没有收到警告是吗?是否可以继续使用weex啊?好虚~weex官方是否有回应?

yfldj commented Mar 13, 2017

@cxfeng1 请问weex Playground目前没有收到警告是吗?是否可以继续使用weex啊?好虚~weex官方是否有回应?

@yfldj

This comment has been minimized.

Show comment
Hide comment
@yfldj

yfldj Mar 13, 2017

@leansail weex可以直接访问服务器的js,请问这样算是启用热更新吗?

yfldj commented Mar 13, 2017

@leansail weex可以直接访问服务器的js,请问这样算是启用热更新吗?

@leansail

This comment has been minimized.

Show comment
Hide comment
@leansail

leansail Mar 14, 2017

@yfldj 我们群里对于weex,目前还没有结论,我对比了weex百度指数一周前的百度指数,发现是上升的,相比react native在8、9、10三天都是上升的,但是11号以后就下降了,同时我们群里也有人陆续说rn没开热更新审核过了,所以我推测11号之后大家都确认了rn没事儿,但是目前还不确定weex有没有事儿,所以还是搜索热点。

@yfldj 我们群里对于weex,目前还没有结论,我对比了weex百度指数一周前的百度指数,发现是上升的,相比react native在8、9、10三天都是上升的,但是11号以后就下降了,同时我们群里也有人陆续说rn没开热更新审核过了,所以我推测11号之后大家都确认了rn没事儿,但是目前还不确定weex有没有事儿,所以还是搜索热点。

@cxfeng1

This comment has been minimized.

Show comment
Hide comment
@cxfeng1

cxfeng1 Mar 16, 2017

统一回复下:

  • Weex 在机制上只是将一些既定的 Native 功能通过 iOS 内置的 JavascriptCore 暴露给 JS, 它无法动态改变 Swift 或者 OC 代码, 也无法动态去访问系统的私有API
  • 最近一周已经有很多 App 带着 Weex 通过审核,目前没有发现单独因为集成 Weex 审核被拒的, 请大家放心使用

cxfeng1 commented Mar 16, 2017

统一回复下:

  • Weex 在机制上只是将一些既定的 Native 功能通过 iOS 内置的 JavascriptCore 暴露给 JS, 它无法动态改变 Swift 或者 OC 代码, 也无法动态去访问系统的私有API
  • 最近一周已经有很多 App 带着 Weex 通过审核,目前没有发现单独因为集成 Weex 审核被拒的, 请大家放心使用
@slowsay

This comment has been minimized.

Show comment
Hide comment
@slowsay

slowsay Mar 17, 2017

警告,估计是你们的app与审核时的一些图界面,差异过大,引起,如:做一个资讯的,突然改成了一个游戏的,能不警告?

slowsay commented Mar 17, 2017

警告,估计是你们的app与审核时的一些图界面,差异过大,引起,如:做一个资讯的,突然改成了一个游戏的,能不警告?

@931743010

This comment has been minimized.

Show comment
Hide comment
@931743010

931743010 Apr 1, 2017

@cxfeng1 调用本地的jsbundl来进行渲染审核没问题 ;但是调用服务器端端jsbundle 来进行渲染 会审核通过吗?

@cxfeng1 调用本地的jsbundl来进行渲染审核没问题 ;但是调用服务器端端jsbundle 来进行渲染 会审核通过吗?

@yfldj

This comment has been minimized.

Show comment
Hide comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment