美文网首页
Apple向热更新下达最后通牒

Apple向热更新下达最后通牒

作者: 符武 | 来源:发表于2017-03-08 16:03 被阅读118次

    之前开发者都收到了苹果2017年的新开发者审核协议更新通知。

    2017年3月8...注意..是女神节这天。大量开发者收到了被拒绝 被警告的邮件,内容如下:

    Dear Developer,

    Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

    This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

    Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

    Best regards,

    App Store Review

    苹果审核协议中有这样一节:

    Apple Developer Program License Agreement

    3.3.2 An Application may not download or install executable code. Interpreted code may only be

    used in an Application if all scripts, code and interpreters are packaged in the Application and not

    downloaded. The only exception to the foregoing is scripts and code downloaded and run by Apple's builtin WebKit framework, provided that such scripts and code do not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.

    App Store Review Guideline

    2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps.

    随后JSPatch群里 ,github上都炸了锅 :https://github.com/bang590/JSPatch/issues/746

    react-native 的情况:https://github.com/facebook/react-native/issues/12778

    Weex ::https://github.com/alibaba/weex/issues/2875

    为什么突然爆发

    突然爆发并非偶然,苹果的审核指南一直明确,禁止下载可执行代码,虽然JSPatch等库使用了JavaScriptCore来巧妙的实现,但也不是长久之计,很多开发者不自觉的使用其来下发私有方法等等行为迟早会被苹果发现。也极大的威胁到了极其注重安全的苹果

    再有就是一切涉及到网络的都会有安全的风险

    还有一个有意思的事实,昨天VS2017发布,号称内置iOS模拟器,直接开发React Native:

    总结下波及到的库

    rollout,react native,weex,JSPatch,bugtags,个推 ,bugly with hotfix

    为什么没使用热更新会收到邮件

    个人认为苹果是批量扫描runtime并且群发的,苹果没办法批量检测remote script(远程脚本下载)

    所以机智的检测热更新可能使用到的runtime方法,比如method_exchangeImplementations。这样基本全覆盖了那些使用热更新的APP。

    警告"下载脚本代码且使用runtime方法实现的的APP"下一个版本改掉,如果不改。有可能被下架被拒绝上架。

    JSPatch是"下载脚本代码且使用runtime",并不是针对JSPatch一个库

    rollout,react native,weex都会有这种提示。

    bugtags ,个推 这种看似没有热更新的其实内部集成了JSPatch等库,也会有这种提示

    Runtime不能继续用了?

    个人认为原生代码中使用runtime还是没问题,只是为了提醒那些使用了runtime并且下载远程脚本改变app行为的人。

    如果苹果把runtime变成私有方法或去掉.那么Objective-C的优势大大的没有了.....

    文章出处(http://www.skyfox.org/apple-2017-hot-patch.html)

    相关文章

      网友评论

          本文标题:Apple向热更新下达最后通牒

          本文链接:https://www.haomeiwen.com/subject/mxwbgttx.html