A warning from Apple [resolved, not about React Native] #12778
Comments
|
Did anyone receive the warning e-mail? |
|
This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts Imported any framework for crash collections? |
|
I searched in all code of react native, the only risk which contain "arbitrary parameters to dynamic methods" is: RCTUtils.m Line 337 & 354 |
|
From the data points I've heard: the developers who received this email were using a patching framework called Rollout.io (discussion here: https://forums.developer.apple.com/thread/73640). So please double-check to see whether your app is using a framework like that. Reading the message carefully, it's not describing React Native nor what React Native does. Second, make sure that you aren't using custom, third-party React Native modules that call methods like Last, please use the Subscribe button on GitHub if you wish to follow the conversation but don't have something meaningful to contribute. I'd prefer to leave it open but if the discussion isn't productive we'll have to close this issue and perhaps lock it. Edit: there is also some discussion that the JSPatch library may be triggering this warning. I don't know if that is actually true or not, but please check all of the libraries that you are using in your apps. |
|
I searched in all code of react native, the only risk which may contain "arbitrary parameters to dynamic methods" is: RCTUtils.m Line 337 & 354 @ide any idea for this? Could we remove or change these code? |
|
@tdzl2003 Thanks for providing the file and line numbers -- those functions ( |
|
3.3.2 of Apple Developer Program License:
explicitly mentions that:
React Native does none of these. And so, using React Native doesn't expose you to the aforementioned issue. As @ide mentioned, there are reports this message is addressed to those using With React Native, you can do so called OTA update, but this is updating Javascript, not native code. Whenever native code changes, you have to make a new release. That OTA update of Javascript code is explicitly allowed in the
I believe everyone should follow up on this issue with Apple and sort out what's exactly causing the warning. |
|
@ide I know they are safe, but maybe apple's automatic check system may still consider a application use both script downloading AND arbitrary parameters to dynamic methods as a risk? |
TL/DR:🚫 Problem: Apps with the lib Rollout.io, JSPatch and similars are being rejected because they can dynamically change Swift / Objective-C code without passing through Apple Review process. ✅ React Native has nothing to do with this problem, don't worry about it.
Apple Developer Program License AgreementThis is the updated terms, from March 01st, 2017. No changes related to javascript code update 👍
|
|
Good news! My app just passed the review 5 minutes ago. And it contains the 'code-push'. BTW, I don‘t use JSPatch or Bugtags. |
|
Anyone here using CodePush and had issues with Review ? I am the CodePush PM, so would like to know more if you have run into issues. |
|
@axemclion @tdzl2003 CoduRush is also change the App's behavior out of Apple's review. |
|
@pinguo-gaoshan While CodePush may be misused to change app's behavior, it still cannot load private frameworks or expose private methods other than the ones ReactNative already exposes. Not all the clauses in that rejection apply to CodePush. |
|
@axemclion I agree, but Apple can't distinguish the way developers using CodeRush, so it's bad they all disable these functions, and do not allow new version submit to app store. |
|
@pinguo-gaoshan it's a possibility that Apple follow this path in the future, but right now apparently code push continues to be accepted. |
|
@pinguo-gaoshan Note that the rejection explicitly calls out methods that they are concerned about. React Native does not dynamically inject into any of those methods. |
|
@axemclion I published a brand new app written in React Native with Code Push yesterday without any rejection, and I've made a new version which is still waiting for review, I haven't received any warning email from Apple |
|
FYI, given the high visibility and uncertainty around this issue, we are actively using the moderation tools in order for it to remain useful. Please try to only reply if you have concrete information around the subject. Thanks! |
|
It seems that only Chinese developers received this warning email. Do other parts of the world have the same email? |
|
Ok i noticed on the guidelines, they removed the word |
|
@pvenkatakrishnan Your link was published at 2014 |
|
@huhuanming I believe so, some developers using a library called Rollout received an email. It could be that many Chinese apps use JSPatch, another library used by people who received an email. (Incidentally, both of those libraries were covered by FireEye with regard to security: https://www.fireeye.com/blog/threat-research/2016/04/rollout_or_not_the.html) @pvenkatakrishnan As @Pikaurd says, that is a very old agreement. The latest one for 2017 (http://adcdownload.apple.com/Documentation/License_Agreements__Apple_Developer_Program/Apple_Developer_Program_License_Agreement_20170227.pdf) has the same language as 2015 and 2016 and mentions JavascriptCore. |
|
From reading the message from Apple and the data points we've observed, this warning is not about React Native. On the technical concern of dynamically executing Objective-C described in Apple's email:
On the strategy of calling native code from JavaScript:
Data pointsThe developers who received this email were using Rollout or JSPatch in their apps. People who are using only React Native or libraries/frameworks like CodePush and Expo are not affected and are continuing to have their apps accepted by the App Store review. RecommendationsIf you're writing a React Native or WebView app, be sure not to expose dynamic, uncontrolled access to native APIs and you should be OK. There was one third-party RN module that did this and the maintainers have taken it down. And in accordance with the iOS developer terms, make sure your updates don't change the primary purpose of your app and that the changes are consistent with the intended and advertised purpose of your app. -- James |
ide
changed the title
I received a warning from Apple this morning , how to solve it :
Dear Developer,
Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.
This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.
Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.
Best regards,
The text was updated successfully, but these errors were encountered: