Message from Apple Review...

Just got this message for a few of my apps that are live in the app store (and have been for years).


"Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review."


I'm not sure what they are referring to, or how to resolve this issue. I am guessing there will be a swarm of these posts coming from affected developers. Does anyone have ideas what would cause this & how to resolve? I dont even know where to start...

Replies

Hello everyone,


I think you should know about this : https://9to5mac.com/2017/03/07/apple-cracks-down-on-hot-push-code-sdks/
So, If your app is live on store then you should contact to your SDK provider and ask for solution. They might contact to Apple Inc. and find some better support.

Have there been any reports of this affecting reactnative apps?

Does caused by [*** performSelector:NSSelectorFromString([NSString stringWithFormat:@"%@",@"********"])]?

we think we might have just been hit by this - we use a 3rd party lib that has react native in it + as far as we can tell is the most likely source of the issue

From the React Native github issues;

3.3.2 of Apple Developer Program License:

An Application may not download or install executable code. Interpreted
code may only be used in an Application if all scripts, code and interpreters are
packaged in the Application and not downloaded. The only exception to the
foregoing is scripts and code downloaded and run by Apple's built-in WebKit
framework or JavascriptCore, provided that such scripts and code do not change
the primary purpose of the Application by providing features or functionality that are
inconsistent with the intended and advertised purpose of the Application as
submitted to the App Store.

explicitly mentions that:

An Application may not download or install executable code

React Native does none of these. And so, using React Native doesn't expose you to the aforementioned issue.

method_exchangeImplementations() is the basis of method swizzling. It is used by every major library (AFNetworking, analytics, growth marketing, crash management sdks, growth automation) and many apps. Apps that have a valid use of method_exchangeImplementations() aren't affected.


I don't thing Apple is going to break this. Changing behavior of app using JavaScriptCore and executing javascript that is downloaded and executed is at risk of man in the middle attack.


If you look at the timing of this change, it points to CIA Wikileaks earlier that day... I believe on March 7


I am not a security expert, but I think Apple should allow javascript downloads over TLS / HTTPS, require Strict-Transport-Security header, use certificates to establish trust, and establish explicit trust between the app and the javascript source.


We have seen improvements when we moved "Beyond Deep Linking" to iOS Universal Links (and Android App Links), where, the website uses apple-app-site-association in the .well-known subfolder of website and the app has to add the applinks in the app capabilities section in Xcode.

What about react native apps that use a service like code push. With a service like that in theory you could completely change the app functionally. We use apps that use code push and while we don't ever change app functionality using code push, we have fixed a few critical bugs and pushed it immediately to clients. It's very concerning as to what exactly this could apply to.

Which SDK? Could you specify.

I don't know, that response sounds a little like whistling past the graveyard. While React Native may not have been intended for the same purpose as Rollout.io, it is certainly possible to use it that way.


In fact, it is one of the touted "benefits" of RN, as explicitly called out by some users. Note the quote from this blog post https://www.aerofs.com/blog/reactnativeautoupdater-dynamic-updates-to-react-native-apps/


"Technically, we can ship a React Native app with no Javascript code, and point it to a URL on the server on the internet. That would be just like how the dev environment works. The problem with that is that JS-bundles tend to be very big. A simple app can easily run into a couple of megabytes. Wasting the time and bandwidth to download them every time the app runs is clearly not an ideal way of doing things.


"Luckily, this is super easy to solve. We can ship the app with an initial JS-bundle, and check for updates in the background after the app starts."


I wouldn't be shocked to see RN come under scrutiny in the future (in fact, I'd go so far as to say is *should* come under scrutiny).

Skillz eSports SDK.


Outside of std ios frameworks we have a couple of ad providers (AdMob, Applovin) and facebook analytics. None of these seem very likely candidates. We definately dont do any of the 'failure' things in our main app code.


The frustrating part is there does not seem to be any way or any tools to actually determine which frameworks might be causing the issue - as far as we can tell the only way to find out is to build apps with each of the frameworks removed one at a time and see if Apple accept/reject whcih hardly seems intelligent..

>and see if Apple accept/reject whcih hardly seems intelligent..


This isn't a new situation. Apple tends to keep things vague so they can define/apply on the fly, without being boxed in/dragged into debate ("You didn't explicitly write that I couldn't do this, so get out of my way"), so I don't think there is a solution that favors everyone.

Of course, it leaves devs to poke around in the dark, at least until the dust settles, and some will find it more of a burden than others - welcome to the app store.

As far as we can tell React Native is the issue for us.


What is entirely possible is that the 'forbidden' methods exist within the RN library regardless of whether they get used or not (dont know how intelligent the linkers are for different langs these days). Simply by virtue of the methds existing in the library the app fails whatever testing tool is being used.


So the key is that 'its certainly possible to use it that way' even if no one ever does/did knowingly or otherwise.


Any one any clue as to who/what determines exactly what is considered as "significant changes to your app’s behavior".

As far as we can tell any change at all is considered "signficant".

We just had an app rejected twice based on a minimum functionailty reasoning, we removed Code-Push and the app was approved??

My app was rejected

techrul.com