Apple警告邮件

[kunwang0916]

统一回复：关于苹果警告 http://blog.cnbang.net/internet/3374/

@bang590 的回复

---

今天收到Apple的警告邮件。
应用中使用了JSPatch一段时间了，之前的版本是没有问题的。
而且这个通知邮件也不是在提交更新版本审核过程中收到，而是苹果主动发出的。

• 是否和JSPatch有关？

• 如果有关请问是否有解决方案。

• 其它开发者最近有收到类似邮件的话，也请分享一下。 请不要灌水。

• 相关信息 / Related information

  • 可能用到patch相关的第三方SDK——处理进度汇总
  • Issue in Apple Developer Forums
  • Issue in react-native
  • Issue in AFNetworking
  • Issue in alibaba/weex
  • issue in alibaba/LuaViewSDK
  • discussion in Hack News thanks @yong-chen04
  • 文章: Apple向热更新下达最后通牒

Dear Developer,

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review

---

[yudun1989]

同样收到警告邮件。
建议不着急上架的先等一下，等先遣部队先踩一下坑。。。

[wealon]

我也收到了同样的邮件

[devjiangzhou]

@bang590 微信读书收到没？

[TT-usr]

同收到了

[SolaWing]

同样收到了...

[totzcc]

+1

[wealon]

昨天发现在appstore 搜索不到了，但是没有下架，今天收到苹果的警告邮件，内容和楼上的一样

[iPermanent]

并没有收到啊，难道我是假开发者账号？

[Channe]

我刚刚收到了这样的邮件

[dingyusong]

早上收到了同样的邮件

[MrLiuYS]

没有收到啊,项目中用到的都只是修改一些小bug.
是不是做大幅度改动的.才会收到?

[hujian]

早上同样收到了这样的邮件

[zhudaye12138]

占个楼，关注一下

[shaveKevin]

关注，静待回复

[daemonchen]

为什么突然又禁止了～～

[poboke]

关注

[applejian]

会不会是使用过度了呀 我们一般都一个月一个版本 暂时还没收到这个邮件

[wuyifan]

同样收到邮件，关注

[393698063]

有解决方法吗？

[applejian]

大家都用的哪种方式集成的 我用的是外接自己的服务器这种

[rainysweet]

暂时都只是收到警告，应用还没有下架，你们都下架整改了么？

[ghost]

me too

[hujian]

@rainysweet 只是警告，没有下架，暂时还能搜到

[robert1202]

暂时没有收到，难道苹果要禁止热修复了么？

[KlausLiu]

我们有4-5款APP都用了，目前没收到邮件，也能搜到。
问个问题：收到邮件的同学，你们的App是仅仅用JSPatch做补丁修复？还是直接用JSPatch做了一些模块功能？

[Toothpick2012]

淘宝咋办

[MrLiuYS]

收到的是用jspatch开发功能? 还是修改bug啊?

[xingxingc]

我也收到了邮件，在JPEngine.m中确实能够找到邮件中提到的那些方法

[monycn]

没有收到邮件的，到你们的https://itunesconnect.apple.com/ 看一下，说不定有不一样的收获

[vedon]

什么方法，截图看看？参考一下

[hirat]

项目里边用到了个推，正在等他们的临时SDK，好了之后试一下上传会不会被拒

[ningj123]

IOS React-Native ,我们会讨论一些diff差分更新，以及一些创业伙伴们，欢迎交流

[greezi]

等了一天了还没收到警告⚠️,好期待啊~

[juvham]

拯救了50W将要失业的 iOS开发人员

[AxeMea]

围观，凑个 600 。

[qhd]

JSPatch、react-native、weex、收到邮件警告的加入QQ群:92362912讨论和分享处理方案

[Gshocking]

围观事态发展

[iHTCboy]

给苹果提问：（等待回复）
1、我们游戏包括远程下载资源包，这个功能是不允许吗？
2、是否不允许使用JSPatch或Rollout.js、React Native、Weex等框架？
3、“section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. ” 用了runtime和jscontext是否允许？
4、AFN和SDWedImage等部分包括 such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(),但是没有远程更新，这样能否使用？
5、第三方SDK，比如统计分析、crash收集、以及性能分析等，我们怎么检查他们有没有使用非法的方法？
6、具体我们应该怎么做，我们还有点迷茫，可以告诉我们详细方法吗？

[Cologler]

回复“加一”、“+1”、“同样收到”的小伙伴们会不会点楼主左下角的加一符号？
回复“围观”、“mark”或调侃 Apple 的小伙伴们能不能只是点击右边的 Subscribe 按钮然后乖乖闭嘴？
你们理解邮箱收到一堆这种垃圾邮件的感受吗？

我借机 block 了一大波缺德人士。
@sleepywk 可以把这话润色一下挂在贴首了。

[Gshocking]

那你回复我干嘛。直接block不就行了，智障 在2017年03月08 23时38分, "cologler"<notifications@github.com>写道: 回复“加一”、“+1”、“同样收到”的小伙伴们会不会点楼主左下角的加一符号？ 回复“围观”、“mark”或调侃 Apple 的小伙伴们能不能只是点击右边的 Subscribe 按钮然后乖乖闭嘴？ 你们理解邮箱收到一堆这种垃圾邮件的感受吗？ 我借机 block 了一大波缺德人士。 @sleepywk 可以把这话润色一下挂在贴首了。 — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[sysoft]

为什么这个Issue还不关闭，大多数评论都是对问题毫无意义的

[haibinyu]

很多人太无聊了，取关！看看react native下面相关问题的回复，再看看这个，差距太大了。

[xiemotongye]

今天早上接到了美国苹果电话，点名要求删除JSPatch，看来就是JSPatch的原因

[ghost]

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.
就是说不会立即下线了,不过下次更新要处理掉.
神阿!怎么弄?
建了群大家讨论一下
QQ群
进群需要验证,答案:热更新

微信群

[kinghudi]

我也收到了 有人知道如果上线的app 不做更新了 会被强制下线吗

[bang590]

统一回复：关于苹果警告 http://blog.cnbang.net/internet/3374/
此贴关闭

[lovecn]

围观

[yeshibuzhong]

莫名其妙的收到了邮件+1

[vagase]

最新进展

我给苹果写信问了具体原因，得到的回复如下：

The code referenced in our initial rejection message includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. The Objective-C methods respondsToSelector: and performSelector: are still supported and allowed. For example, they can be used to check OS compatibilty before using a selector. However, you should only pass selectors to these methods, which are specified at compile time. If you think you are using static selectors, it’s possible a third-party framework you’ve added to your app is not in compliance.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review

[SkateHuang]

收到邮件还以为苹果开发者账号这么快就过期了？原来是要接受这些新协议。

[simcyber]

收到，会不会强制下架啊？

[Tyrant2013]

我们也收到了，不过我们并没有使用任何热更新方案，也没有用到JSCore，不过倒是用到几个邮件里面提到的API，这算是误报了吧？有没有一样的啊？

[woshiqyb]

对于警告邮件中提到的一些api，Apple说不能随意传递任意参数，对于参数，要在编译期间就能够确定。那么对于AFNetworkding的代码：

for (NSString *keyPath in AFHTTPRequestSerializerObservedKeyPaths()) {
if ([self respondsToSelector:NSSelectorFromString(keyPath)]) {
[self addObserver:self forKeyPath:keyPath options:NSKeyValueObservingOptionNew context:AFHTTPRequestSerializerObserverContext];
}
}
这段应该不是在编译期间就能确定的吧？难道这个也是不合规的？

[heroims]

估计是看量，我代码里用类似形式多的被警告了，另一个用的少没被警告 @woshiqyb ,被警告的里面没有任何第三方和JSPatch，没警告的里面JSPatch混淆了没用太多高级语法，但能动态改页面。现在懵逼了，完全想不到怎么改，正想怎么做套混淆，合着写的高级点被警告，low的一逼全js写外面简单混淆就没事太扯了

[IMKiller]

提交被拒了

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. The Objective-C methods respondsToSelector: and performSelector: are still supported and allowed. For example, they can be used to check OS compatibilty before using a selector. However, you should only pass selectors to these methods, which are specified at compile time. If you think you are using static selectors, it’s possible a third-party framework you’ve added to your app is not in compliance. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review

[ghost]

总结一下我们微信和QQ群里目前讨论出来的一些情况:
1、只要不用热更新，应该和weex、rn这些无关，群里有只用weex、rn，没有启用热更新，审核通过的例子；
2、除了直接使用jspatch，由于使用了第三方sdk而间接引入jspatch的情况也会被拒，目前发现的有个推、高德、bugtags，个推提供了新的临时sdk，群里已经有人审核通过了,据说今天会提供正式的sdk。其它的sdk，大家可以通过使用 nm /path/to/executable_filepath | grep "JSPatch" 进行排查。
3、有人猜测是否因为代码中使用了dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations()这些方法。
4、jspatch官方的解决方案

我们的群地址如下，请入群同学自觉，不要讨论非技术话题。

[yaonuo]

被拒了一次（仅仅注释了个推1.4.3的代码，没有删除Pods的引用）后，今天审核通过了。换了新的个推SDK1.6.2.0，就通过了。
期间排查过method_exchangeImplementations，和，JavaScriptCore.framework，和respondsToSelector等等，发现只要是没有用这些函数或库去做热更新的事情，就不会被拒的。（比如，MJExtension里用了JavaScriptCore的函数，但是仅仅处理数据格式的操作，是不会被拒的。）

[adreamy]

个推已经推出最新的SDK 可以通过审核 目前已经审核通过