Apple警告邮件 #746

Closed
kunwang0916 opened this Issue Mar 7, 2017 · 620 comments

Comments

Projects
None yet
@kunwang0916

kunwang0916 commented Mar 7, 2017

统一回复:关于苹果警告 http://blog.cnbang.net/internet/3374/

@bang590 的回复


今天收到Apple的警告邮件。
应用中使用了JSPatch一段时间了,之前的版本是没有问题的。
而且这个通知邮件也不是在提交更新版本审核过程中收到,而是苹果主动发出的。

Dear Developer,

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review


no-mark

unsubscribe

@yudun1989

This comment has been minimized.

Show comment
Hide comment
@yudun1989

yudun1989 Mar 7, 2017

同样收到警告邮件。
建议不着急上架的先等一下,等先遣部队先踩一下坑。。。

yudun1989 commented Mar 7, 2017

同样收到警告邮件。
建议不着急上架的先等一下,等先遣部队先踩一下坑。。。

@wealon

This comment has been minimized.

Show comment
Hide comment
@wealon

wealon Mar 8, 2017

我也收到了同样的邮件

wealon commented Mar 8, 2017

我也收到了同样的邮件

@devjiangzhou

This comment has been minimized.

Show comment
Hide comment
@devjiangzhou

devjiangzhou Mar 8, 2017

@bang590 微信读书收到没?

@bang590 微信读书收到没?

@zichenJack

This comment has been minimized.

Show comment
Hide comment
@zichenJack

zichenJack Mar 8, 2017

同收到了

同收到了

@SolaWing

This comment has been minimized.

Show comment
Hide comment
@SolaWing

SolaWing Mar 8, 2017

同样收到了...

SolaWing commented Mar 8, 2017

同样收到了...

@totzcc

This comment has been minimized.

Show comment
Hide comment

totzcc commented Mar 8, 2017

+1

@wealon

This comment has been minimized.

Show comment
Hide comment
@wealon

wealon Mar 8, 2017

昨天发现在appstore 搜索不到了,但是没有下架,今天收到苹果的警告邮件,内容和楼上的一样

wealon commented Mar 8, 2017

昨天发现在appstore 搜索不到了,但是没有下架,今天收到苹果的警告邮件,内容和楼上的一样

@iPermanent

This comment has been minimized.

Show comment
Hide comment
@iPermanent

iPermanent Mar 8, 2017

并没有收到啊,难道我是假开发者账号?

并没有收到啊,难道我是假开发者账号?

@Channe

This comment has been minimized.

Show comment
Hide comment
@Channe

Channe Mar 8, 2017

我刚刚收到了这样的邮件

Channe commented Mar 8, 2017

我刚刚收到了这样的邮件

@DingYusong

This comment has been minimized.

Show comment
Hide comment
@DingYusong

DingYusong Mar 8, 2017

早上收到了同样的邮件

早上收到了同样的邮件

@MrLiuYS

This comment has been minimized.

Show comment
Hide comment
@MrLiuYS

MrLiuYS Mar 8, 2017

没有收到啊,项目中用到的都只是修改一些小bug.
是不是做大幅度改动的.才会收到?

MrLiuYS commented Mar 8, 2017

没有收到啊,项目中用到的都只是修改一些小bug.
是不是做大幅度改动的.才会收到?

@hujian

This comment has been minimized.

Show comment
Hide comment
@hujian

hujian Mar 8, 2017

早上同样收到了这样的邮件

hujian commented Mar 8, 2017

早上同样收到了这样的邮件

@zhudaye12138

This comment has been minimized.

Show comment
Hide comment
@zhudaye12138

zhudaye12138 Mar 8, 2017

占个楼,关注一下

占个楼,关注一下

@shaveKevin

This comment has been minimized.

Show comment
Hide comment
@shaveKevin

shaveKevin Mar 8, 2017

关注,静待回复

关注,静待回复

@daemonchen

This comment has been minimized.

Show comment
Hide comment
@daemonchen

daemonchen Mar 8, 2017

为什么突然又禁止了~~

为什么突然又禁止了~~

@poboke

This comment has been minimized.

Show comment
Hide comment

poboke commented Mar 8, 2017

关注

@applejian

This comment has been minimized.

Show comment
Hide comment
@applejian

applejian Mar 8, 2017

会不会是使用过度了呀 我们一般都一个月一个版本 暂时还没收到这个邮件

会不会是使用过度了呀 我们一般都一个月一个版本 暂时还没收到这个邮件

@wuyifan

This comment has been minimized.

Show comment
Hide comment
@wuyifan

wuyifan Mar 8, 2017

同样收到邮件,关注

wuyifan commented Mar 8, 2017

同样收到邮件,关注

@393698063

This comment has been minimized.

Show comment
Hide comment
@393698063

393698063 Mar 8, 2017

有解决方法吗?

有解决方法吗?

@applejian

This comment has been minimized.

Show comment
Hide comment
@applejian

applejian Mar 8, 2017

大家都用的哪种方式集成的 我用的是外接自己的服务器这种

大家都用的哪种方式集成的 我用的是外接自己的服务器这种

@rainysweet

This comment has been minimized.

Show comment
Hide comment
@rainysweet

rainysweet Mar 8, 2017

暂时都只是收到警告,应用还没有下架,你们都下架整改了么?

暂时都只是收到警告,应用还没有下架,你们都下架整改了么?

@jueyingxx

This comment has been minimized.

Show comment
Hide comment

me too

@hujian

This comment has been minimized.

Show comment
Hide comment
@hujian

hujian Mar 8, 2017

@rainysweet 只是警告,没有下架,暂时还能搜到

hujian commented Mar 8, 2017

@rainysweet 只是警告,没有下架,暂时还能搜到

@robert1202

This comment has been minimized.

Show comment
Hide comment
@robert1202

robert1202 Mar 8, 2017

暂时没有收到,难道苹果要禁止热修复了么?

暂时没有收到,难道苹果要禁止热修复了么?

@KlausLiu

This comment has been minimized.

Show comment
Hide comment
@KlausLiu

KlausLiu Mar 8, 2017

我们有4-5款APP都用了,目前没收到邮件,也能搜到。
问个问题:收到邮件的同学,你们的App是仅仅用JSPatch做补丁修复?还是直接用JSPatch做了一些模块功能?

KlausLiu commented Mar 8, 2017

我们有4-5款APP都用了,目前没收到邮件,也能搜到。
问个问题:收到邮件的同学,你们的App是仅仅用JSPatch做补丁修复?还是直接用JSPatch做了一些模块功能?

@Toothpick2012

This comment has been minimized.

Show comment
Hide comment
@Toothpick2012

Toothpick2012 Mar 8, 2017

淘宝咋办

淘宝咋办

@MrLiuYS

This comment has been minimized.

Show comment
Hide comment
@MrLiuYS

MrLiuYS Mar 8, 2017

收到的是用jspatch开发功能? 还是修改bug啊?

MrLiuYS commented Mar 8, 2017

收到的是用jspatch开发功能? 还是修改bug啊?

@xingxingc

This comment has been minimized.

Show comment
Hide comment
@xingxingc

xingxingc Mar 8, 2017

我也收到了邮件,在JPEngine.m中确实能够找到邮件中提到的那些方法

我也收到了邮件,在JPEngine.m中确实能够找到邮件中提到的那些方法

@monycn

This comment has been minimized.

Show comment
Hide comment
@monycn

monycn Mar 8, 2017

没有收到邮件的,到你们的https://itunesconnect.apple.com/ 看一下,说不定有不一样的收获

monycn commented Mar 8, 2017

没有收到邮件的,到你们的https://itunesconnect.apple.com/ 看一下,说不定有不一样的收获

@vedon

This comment has been minimized.

Show comment
Hide comment
@vedon

vedon Mar 8, 2017

什么方法,截图看看?参考一下

vedon commented Mar 8, 2017

什么方法,截图看看?参考一下

@catcups

This comment has been minimized.

Show comment
Hide comment
@catcups

catcups Mar 8, 2017

( ⊙ o ⊙ )啊! 我两个项目都今天上架的,没收到邮件,难道是我JSPatch过期的原因吗

catcups commented Mar 8, 2017

( ⊙ o ⊙ )啊! 我两个项目都今天上架的,没收到邮件,难道是我JSPatch过期的原因吗

@catcups

This comment has been minimized.

Show comment
Hide comment
@catcups

catcups Mar 8, 2017

刚去https://itunesconnect.apple.com/ 看了下 警告了这个:
协议信息
The updated Apple Developer Program License Agreement needs to be reviewed.
In order to update your existing apps and submit new apps to the App Store, the user with the Legal role (Team Agent) must review and accept the updated agreement in their account on the developer website.

catcups commented Mar 8, 2017

刚去https://itunesconnect.apple.com/ 看了下 警告了这个:
协议信息
The updated Apple Developer Program License Agreement needs to be reviewed.
In order to update your existing apps and submit new apps to the App Store, the user with the Legal role (Team Agent) must review and accept the updated agreement in their account on the developer website.

@xingxingc

This comment has been minimized.

Show comment
Hide comment
@xingxingc

xingxingc Mar 8, 2017

就 dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations()这些方法

就 dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations()这些方法

@xiemotongye

This comment has been minimized.

Show comment
Hide comment
@xiemotongye

xiemotongye Mar 8, 2017

用了,暂时没有收到

用了,暂时没有收到

@zengyun-hacker

This comment has been minimized.

Show comment
Hide comment
@zengyun-hacker

zengyun-hacker Mar 8, 2017

=。= 这个issue感觉只有苹果爸爸能解决了?

=。= 这个issue感觉只有苹果爸爸能解决了?

@fanlv

This comment has been minimized.

Show comment
Hide comment

fanlv commented Mar 8, 2017

1

@henshao

This comment has been minimized.

Show comment
Hide comment

henshao commented Mar 8, 2017

+1

@hayashi1202

This comment has been minimized.

Show comment
Hide comment

+1

@huangzhifei

This comment has been minimized.

Show comment
Hide comment
@huangzhifei

huangzhifei Mar 8, 2017

苹果爸爸这是想搞谁了?

苹果爸爸这是想搞谁了?

@huangzhifei

This comment has been minimized.

Show comment
Hide comment

@chengwuli125 你危险了

@zxpsa

This comment has been minimized.

Show comment
Hide comment
@zxpsa

zxpsa Mar 8, 2017

mark一下

zxpsa commented Mar 8, 2017

mark一下

@pallyoung

This comment has been minimized.

Show comment
Hide comment
@pallyoung

pallyoung Mar 8, 2017

android 过来围观一下。

android 过来围观一下。

@RecheLi

This comment has been minimized.

Show comment
Hide comment
@RecheLi

RecheLi Mar 8, 2017

苹果爸爸生气了

RecheLi commented Mar 8, 2017

苹果爸爸生气了

@Juice007

This comment has been minimized.

Show comment
Hide comment
@Juice007

Juice007 Mar 8, 2017

我们的APP,用到了阿里的热修复框架也收到邮件了

Juice007 commented Mar 8, 2017

我们的APP,用到了阿里的热修复框架也收到邮件了

@andylei18

This comment has been minimized.

Show comment
Hide comment
@andylei18

andylei18 Mar 8, 2017

Apple爸爸生气了

Apple爸爸生气了

@PWDream

This comment has been minimized.

Show comment
Hide comment

PWDream commented Mar 8, 2017

mark

@iikk

This comment has been minimized.

Show comment
Hide comment
@iikk

iikk Mar 8, 2017

苹果爸爸好霸道

iikk commented Mar 8, 2017

苹果爸爸好霸道

@PlayApple

This comment has been minimized.

Show comment
Hide comment
@PlayApple

PlayApple Mar 8, 2017

大清早所有app全部收到了,先观察下吧

大清早所有app全部收到了,先观察下吧

@Fonger

This comment has been minimized.

Show comment
Hide comment
@Fonger

Fonger Mar 8, 2017

Great! I think Apple does a good job!

Fonger commented Mar 8, 2017

Great! I think Apple does a good job!

@heroims

This comment has been minimized.

Show comment
Hide comment
@heroims

heroims Mar 8, 2017

我去,我们app里仅仅是用了runtime和jscontext就被警告了,其他第三方和jspatch都没使用!!!!!

heroims commented Mar 8, 2017

我去,我们app里仅仅是用了runtime和jscontext就被警告了,其他第三方和jspatch都没使用!!!!!

@hirat

This comment has been minimized.

Show comment
Hide comment
@hirat

hirat Mar 8, 2017

项目里边用到了个推,正在等他们的临时SDK,好了之后试一下上传会不会被拒

hirat commented Mar 8, 2017

项目里边用到了个推,正在等他们的临时SDK,好了之后试一下上传会不会被拒

@ningj123

This comment has been minimized.

Show comment
Hide comment
@ningj123

ningj123 Mar 8, 2017

IOS React-Native ,我们会讨论一些diff差分更新,以及一些创业伙伴们,欢迎交流
yuniergong_1488967522212_82

ningj123 commented Mar 8, 2017

IOS React-Native ,我们会讨论一些diff差分更新,以及一些创业伙伴们,欢迎交流
yuniergong_1488967522212_82

@greezi

This comment has been minimized.

Show comment
Hide comment
@greezi

greezi Mar 8, 2017

等了一天了还没收到警告⚠️,好期待啊~

greezi commented Mar 8, 2017

等了一天了还没收到警告⚠️,好期待啊~

@juvham

This comment has been minimized.

Show comment
Hide comment
@juvham

juvham Mar 8, 2017

拯救了50W将要失业的 iOS开发人员

juvham commented Mar 8, 2017

拯救了50W将要失业的 iOS开发人员

@AxeMea

This comment has been minimized.

Show comment
Hide comment
@AxeMea

AxeMea Mar 8, 2017

围观,凑个 600 。

AxeMea commented Mar 8, 2017

围观,凑个 600 。

@qhd

This comment has been minimized.

Show comment
Hide comment
@qhd

qhd Mar 8, 2017

JSPatch、react-native、weex、收到邮件警告的加入QQ群:92362912讨论和分享处理方案
260

qhd commented Mar 8, 2017

JSPatch、react-native、weex、收到邮件警告的加入QQ群:92362912讨论和分享处理方案
260

@Gshocking

This comment has been minimized.

Show comment
Hide comment
@Gshocking

Gshocking Mar 8, 2017

围观事态发展

围观事态发展

@iHTCboy

This comment has been minimized.

Show comment
Hide comment
@iHTCboy

iHTCboy Mar 8, 2017

给苹果提问:(等待回复)
1、我们游戏包括远程下载资源包,这个功能是不允许吗?
2、是否不允许使用JSPatch或Rollout.js、React Native、Weex等框架?
3、“section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. ” 用了runtime和jscontext是否允许?
4、AFN和SDWedImage等部分包括 such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(),但是没有远程更新,这样能否使用?
5、第三方SDK,比如统计分析、crash收集、以及性能分析等,我们怎么检查他们有没有使用非法的方法?
6、具体我们应该怎么做,我们还有点迷茫,可以告诉我们详细方法吗?

iHTCboy commented Mar 8, 2017

给苹果提问:(等待回复)
1、我们游戏包括远程下载资源包,这个功能是不允许吗?
2、是否不允许使用JSPatch或Rollout.js、React Native、Weex等框架?
3、“section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. ” 用了runtime和jscontext是否允许?
4、AFN和SDWedImage等部分包括 such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(),但是没有远程更新,这样能否使用?
5、第三方SDK,比如统计分析、crash收集、以及性能分析等,我们怎么检查他们有没有使用非法的方法?
6、具体我们应该怎么做,我们还有点迷茫,可以告诉我们详细方法吗?

@Cologler

This comment has been minimized.

Show comment
Hide comment
@Cologler

Cologler Mar 8, 2017

回复“加一”、“+1”、“同样收到”的小伙伴们会不会点楼主左下角的加一符号?
回复“围观”、“mark”或调侃 Apple 的小伙伴们能不能只是点击右边的 Subscribe 按钮然后乖乖闭嘴?
你们理解邮箱收到一堆这种垃圾邮件的感受吗?

我借机 block 了一大波缺德人士。
@sleepywk 可以把这话润色一下挂在贴首了。

Cologler commented Mar 8, 2017

回复“加一”、“+1”、“同样收到”的小伙伴们会不会点楼主左下角的加一符号?
回复“围观”、“mark”或调侃 Apple 的小伙伴们能不能只是点击右边的 Subscribe 按钮然后乖乖闭嘴?
你们理解邮箱收到一堆这种垃圾邮件的感受吗?

我借机 block 了一大波缺德人士。
@sleepywk 可以把这话润色一下挂在贴首了。

@Gshocking

This comment has been minimized.

Show comment
Hide comment
@Gshocking

Gshocking Mar 9, 2017

@sysoft

This comment has been minimized.

Show comment
Hide comment
@sysoft

sysoft Mar 9, 2017

为什么这个Issue还不关闭,大多数评论都是对问题毫无意义的

sysoft commented Mar 9, 2017

为什么这个Issue还不关闭,大多数评论都是对问题毫无意义的

@haibinyu

This comment has been minimized.

Show comment
Hide comment
@haibinyu

haibinyu Mar 9, 2017

很多人太无聊了,取关!看看react native下面相关问题的回复,再看看这个,差距太大了。

haibinyu commented Mar 9, 2017

很多人太无聊了,取关!看看react native下面相关问题的回复,再看看这个,差距太大了。

@xiemotongye

This comment has been minimized.

Show comment
Hide comment
@xiemotongye

xiemotongye Mar 9, 2017

今天早上接到了美国苹果电话,点名要求删除JSPatch,看来就是JSPatch的原因

今天早上接到了美国苹果电话,点名要求删除JSPatch,看来就是JSPatch的原因

@leansail

This comment has been minimized.

Show comment
Hide comment
@leansail

leansail Mar 9, 2017

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.
就是说不会立即下线了,不过下次更新要处理掉.
神阿!怎么弄?
建了群大家讨论一下
QQ群
进群需要验证,答案:热更新
apple

微信群
apple

leansail commented Mar 9, 2017

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.
就是说不会立即下线了,不过下次更新要处理掉.
神阿!怎么弄?
建了群大家讨论一下
QQ群
进群需要验证,答案:热更新
apple

微信群
apple

@kinghudi

This comment has been minimized.

Show comment
Hide comment
@kinghudi

kinghudi Mar 9, 2017

我也收到了 有人知道如果上线的app 不做更新了 会被强制下线吗

kinghudi commented Mar 9, 2017

我也收到了 有人知道如果上线的app 不做更新了 会被强制下线吗

@bang590

This comment has been minimized.

Show comment
Hide comment
@bang590

bang590 Mar 9, 2017

Owner

统一回复:关于苹果警告 http://blog.cnbang.net/internet/3374/
此贴关闭

Owner

bang590 commented Mar 9, 2017

统一回复:关于苹果警告 http://blog.cnbang.net/internet/3374/
此贴关闭

@bang590 bang590 closed this Mar 9, 2017

@lovecn

This comment has been minimized.

Show comment
Hide comment

lovecn commented Mar 9, 2017

围观

@yeshibuzhong

This comment has been minimized.

Show comment
Hide comment
@yeshibuzhong

yeshibuzhong Mar 10, 2017

莫名其妙的收到了邮件+1

莫名其妙的收到了邮件+1

@vagase

This comment has been minimized.

Show comment
Hide comment
@vagase

vagase Mar 10, 2017

最新进展

我给苹果写信问了具体原因,得到的回复如下:

The code referenced in our initial rejection message includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. The Objective-C methods respondsToSelector: and performSelector: are still supported and allowed. For example, they can be used to check OS compatibilty before using a selector. However, you should only pass selectors to these methods, which are specified at compile time. If you think you are using static selectors, it’s possible a third-party framework you’ve added to your app is not in compliance.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review

vagase commented Mar 10, 2017

最新进展

我给苹果写信问了具体原因,得到的回复如下:

The code referenced in our initial rejection message includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. The Objective-C methods respondsToSelector: and performSelector: are still supported and allowed. For example, they can be used to check OS compatibilty before using a selector. However, you should only pass selectors to these methods, which are specified at compile time. If you think you are using static selectors, it’s possible a third-party framework you’ve added to your app is not in compliance.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review

@SkateHuang

This comment has been minimized.

Show comment
Hide comment
@SkateHuang

SkateHuang Mar 10, 2017

收到邮件还以为苹果开发者账号这么快就过期了?原来是要接受这些新协议。
85746df1f4fdd82cd5d46bc97b2c4de3

收到邮件还以为苹果开发者账号这么快就过期了?原来是要接受这些新协议。
85746df1f4fdd82cd5d46bc97b2c4de3

@simcyber

This comment has been minimized.

Show comment
Hide comment
@simcyber

simcyber Mar 10, 2017

收到,会不会强制下架啊?

收到,会不会强制下架啊?

@Tyrant2013

This comment has been minimized.

Show comment
Hide comment
@Tyrant2013

Tyrant2013 Mar 10, 2017

我们也收到了,不过我们并没有使用任何热更新方案,也没有用到JSCore,不过倒是用到几个邮件里面提到的API,这算是误报了吧?有没有一样的啊?

我们也收到了,不过我们并没有使用任何热更新方案,也没有用到JSCore,不过倒是用到几个邮件里面提到的API,这算是误报了吧?有没有一样的啊?

@woshiqyb

This comment has been minimized.

Show comment
Hide comment
@woshiqyb

woshiqyb Mar 10, 2017

对于警告邮件中提到的一些api,Apple说不能随意传递任意参数,对于参数,要在编译期间就能够确定。那么对于AFNetworkding的代码:

for (NSString *keyPath in AFHTTPRequestSerializerObservedKeyPaths()) {
if ([self respondsToSelector:NSSelectorFromString(keyPath)]) {
[self addObserver:self forKeyPath:keyPath options:NSKeyValueObservingOptionNew context:AFHTTPRequestSerializerObserverContext];
}
}
这段应该不是在编译期间就能确定的吧?难道这个也是不合规的?

对于警告邮件中提到的一些api,Apple说不能随意传递任意参数,对于参数,要在编译期间就能够确定。那么对于AFNetworkding的代码:

for (NSString *keyPath in AFHTTPRequestSerializerObservedKeyPaths()) {
if ([self respondsToSelector:NSSelectorFromString(keyPath)]) {
[self addObserver:self forKeyPath:keyPath options:NSKeyValueObservingOptionNew context:AFHTTPRequestSerializerObserverContext];
}
}
这段应该不是在编译期间就能确定的吧?难道这个也是不合规的?

@heroims

This comment has been minimized.

Show comment
Hide comment
@heroims

heroims Mar 10, 2017

估计是看量,我代码里用类似形式多的被警告了,另一个用的少没被警告 @woshiqyb ,被警告的里面没有任何第三方和JSPatch,没警告的里面JSPatch混淆了没用太多高级语法,但能动态改页面。现在懵逼了,完全想不到怎么改,正想怎么做套混淆,合着写的高级点被警告,low的一逼全js写外面简单混淆就没事太扯了

heroims commented Mar 10, 2017

估计是看量,我代码里用类似形式多的被警告了,另一个用的少没被警告 @woshiqyb ,被警告的里面没有任何第三方和JSPatch,没警告的里面JSPatch混淆了没用太多高级语法,但能动态改页面。现在懵逼了,完全想不到怎么改,正想怎么做套混淆,合着写的高级点被警告,low的一逼全js写外面简单混淆就没事太扯了

@IMKiller

This comment has been minimized.

Show comment
Hide comment
@IMKiller

IMKiller Mar 11, 2017

提交被拒了

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. The Objective-C methods respondsToSelector: and performSelector: are still supported and allowed. For example, they can be used to check OS compatibilty before using a selector. However, you should only pass selectors to these methods, which are specified at compile time. If you think you are using static selectors, it’s possible a third-party framework you’ve added to your app is not in compliance. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review

提交被拒了

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. The Objective-C methods respondsToSelector: and performSelector: are still supported and allowed. For example, they can be used to check OS compatibilty before using a selector. However, you should only pass selectors to these methods, which are specified at compile time. If you think you are using static selectors, it’s possible a third-party framework you’ve added to your app is not in compliance. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review

@leansail

This comment has been minimized.

Show comment
Hide comment
@leansail

leansail Mar 13, 2017

总结一下我们微信和QQ群里目前讨论出来的一些情况:
1、只要不用热更新,应该和weex、rn这些无关,群里有只用weex、rn,没有启用热更新,审核通过的例子;
2、除了直接使用jspatch,由于使用了第三方sdk而间接引入jspatch的情况也会被拒,目前发现的有个推、高德、bugtags,个推提供了新的临时sdk,群里已经有人审核通过了,据说今天会提供正式的sdk。其它的sdk,大家可以通过使用 nm /path/to/executable_filepath | grep "JSPatch" 进行排查。
3、有人猜测是否因为代码中使用了dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations()这些方法。
4、jspatch官方的解决方案

我们的群地址如下,请入群同学自觉,不要讨论非技术话题。

apple both

leansail commented Mar 13, 2017

总结一下我们微信和QQ群里目前讨论出来的一些情况:
1、只要不用热更新,应该和weex、rn这些无关,群里有只用weex、rn,没有启用热更新,审核通过的例子;
2、除了直接使用jspatch,由于使用了第三方sdk而间接引入jspatch的情况也会被拒,目前发现的有个推、高德、bugtags,个推提供了新的临时sdk,群里已经有人审核通过了,据说今天会提供正式的sdk。其它的sdk,大家可以通过使用 nm /path/to/executable_filepath | grep "JSPatch" 进行排查。
3、有人猜测是否因为代码中使用了dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations()这些方法。
4、jspatch官方的解决方案

我们的群地址如下,请入群同学自觉,不要讨论非技术话题。

apple both

@yaonuo

This comment has been minimized.

Show comment
Hide comment
@yaonuo

yaonuo Mar 18, 2017

被拒了一次(仅仅注释了个推1.4.3的代码,没有删除Pods的引用)后,今天审核通过了。换了新的个推SDK1.6.2.0,就通过了。
期间排查过method_exchangeImplementations,和,JavaScriptCore.framework,和respondsToSelector等等,发现只要是没有用这些函数或库去做热更新的事情,就不会被拒的。(比如,MJExtension里用了JavaScriptCore的函数,但是仅仅处理数据格式的操作,是不会被拒的。)

yaonuo commented Mar 18, 2017

被拒了一次(仅仅注释了个推1.4.3的代码,没有删除Pods的引用)后,今天审核通过了。换了新的个推SDK1.6.2.0,就通过了。
期间排查过method_exchangeImplementations,和,JavaScriptCore.framework,和respondsToSelector等等,发现只要是没有用这些函数或库去做热更新的事情,就不会被拒的。(比如,MJExtension里用了JavaScriptCore的函数,但是仅仅处理数据格式的操作,是不会被拒的。)

@adreamy

This comment has been minimized.

Show comment
Hide comment
@adreamy

adreamy Mar 18, 2017

个推已经推出最新的SDK 可以通过审核 目前已经审核通过

adreamy commented Mar 18, 2017

个推已经推出最新的SDK 可以通过审核 目前已经审核通过

@SeongBrave SeongBrave referenced this issue in marcuswestin/WebViewJavascriptBridge Mar 24, 2017

Closed

App review rejection #274

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment