Message from Apple Review...

Just got this message for a few of my apps that are live in the app store (and have been for years).


"Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review."


I'm not sure what they are referring to, or how to resolve this issue. I am guessing there will be a swarm of these posts coming from affected developers. Does anyone have ideas what would cause this & how to resolve? I dont even know where to start...

Replies

Are you using Rollout.io? I'm getting the same message. Trying to figure out what it is. Rollout.io is the closest thing.

Yes. I contacted them and they are looking into it. It may be with their javascript. Hopefully not. it's a great service.

we got this message too, please advice us how to fix this😢

We do have Rollout.io integration in the app which is probably the reason we're getting this message.

We got this message too, and we also have Rollout SDK in our project, though we are not using it. And do you guys see para 2?


This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script.


Does it means we can't use these methods anymore? Especially respondsToSelector and performSelector, they are quite useful. 😟

No, the key is "passes arbitrary parameters".


Calling performSelector() with a valid selector to your own code which is known at compile-time by Xcode is part of ordinary Objective-C programming and I don't think Apple would have any intent to remove it.


Calling performSelector with a selector you construct at runtime could be used to call private framework methods or other things that Apple don't like (and which have always been against the app review rules).

I'm guessing this restriction is to stop you bypassing a static scan for private framework selectors and suchlike.

I'm pretty confident Apple is not going to outright ban method calls such as

respondsToSelector:

or

performSelector:

. The important part is "passes arbitrary parameters to dynamic methods". Don't do that with code downloaded dynamically (i.e. via Javascript from the internet) and you'll be fine.

I wonder if this is targeted also at frameworks like MeteorJS and Ionic that allow for your WebView based apps to be updated without review. That always seemed like a pretty pourus (but convienent) solution for app updates.

I also receive this message from apple. And just use framwork of mixpannel to collect app log, I am not sure is this the same issure

What about React Native apps?

Not sure what Rollout can do to "fix" this. It seem pretty clear that Rollout's functionality is explicitly not allowed by Apple.

This message worries me slightly, as all our applications make use of a library that relies on method_exchangeImplementations(), however merely for extending the functionality of some classes, nothing like injecting code from a remote resource as rollout.io is doing.


App Store Review Guideline 2.5.2 states the following:

2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps.


So applications that have a valid use for dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations() should not be affected by this I hope?

You can start by figuring out which functionality or behaviour of your app and/or the frameworks your are using could cause this.

You are the person who knows your product and code.

You did not even posted minimum information about your product behaviour and libraries you've used.

This is like asking random persons "why my car engine is not starting" and you'de expect the solution right away.

Apparantly the obvious cause would be rollout.io and they noticed that they are working on a fix for this, so until then you are probably stuck.

Rollout is one thing; performSelector is another. I wish Apple's description of the issue were a little clearer about this. If we can't use performSelector that's going to be a challenge. What could be meant by "arbitrary parameters"? Is the "and" in


"... includes any code which passes arbitrary parameters to dynamic methods ..., *and* running remote scripts"


just a continuation of banned things, or is it a boolean and, so you can do all the former as long as you're not running remote scripts?

So as useful as Rollout.io is for those using it, it's a violation of the app review guidelines. I looked at it when it came out and decided not to get involved partly to avoid buying myself what I thought of as future trouble.


App review guidelines:


2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps.


The "download" part if that is what Rollout.io does.