Description
今天收到Apple的警告邮件。
应用中使用了Weex
- 是否和Weex有关?
- 如果有关请问是否有解决方案。
- 其它开发者最近有收到类似邮件的话,也请分享一下。
苹果相关规则,https://developer.apple.com/terms/
Dear Developer,
Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.
This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.
Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.
Best regards,
App Store Review
Metadata
Metadata
Assignees
Labels
Type
Projects
Milestone
Relationships
Development
Participants
Activity
axl411 commentedon Mar 8, 2017
@coderyi 是否是只使用了 Weex?有使用 JSPatch、RN 或其他已知符合警告中描述行为的 code 吗?
我们的应用是 JSPatch+Weex
coderyi commentedon Mar 8, 2017
@axl411 使用了JSPatch,Weex,代码都是远端下发的,不知道怎么解决
Jinjiang commentedon Mar 8, 2017
我们在保持关注,暂不能断定
fighting300 commentedon Mar 8, 2017
大部分应用一般都混合使用比如 rn jspatch 或者 weex jspatch
cxfeng1-zz commentedon Mar 8, 2017
跟进中,收到警告的同学也检查下是否有使用类似JSPatch的动态部署方案, 目前Weex Playground(只使用了Weex的App)还没有收到警告。
coderyi commentedon Mar 8, 2017
只有下发weex代码才会收警告,本地执行是不会的。
2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps.
3.3.2 Except as set forth in the next paragraph, an Application may not download or install
executable code. Interpreted code may only be used in an Application if all scripts, code and
interpreters are packaged in the Application and not downloaded. The only exceptions to the
foregoing are scripts and code downloaded and run by Apple's built-in WebKit framework or
JavascriptCore, provided that such scripts and code do not change the primary purpose of the
Application by providing features or functionality that are inconsistent with the intended and
advertised purpose of the Application as submitted to the App Store.
For macOS Applications submitted to Apple for distribution on the App Store, an Application may
install or run interpreted or executable code (e.g., plug-ins and extensions) for use in conjunction
with the Application only so long as such code: (a) does not change the Application's submitted
binary or would not otherwise be considered an update (as determined in Apple’s sole discretion);
and (b) does not change the primary purpose of the Application by providing features or
functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.
totzcc commentedon Mar 8, 2017
mark
shaojiankui commentedon Mar 8, 2017
http://www.skyfox.org/apple-2017-hot-patch.html
fighting300 commentedon Mar 8, 2017
facebook/react-native#12778
geteng commentedon Mar 8, 2017
mark
zhangyanan151 commentedon Mar 8, 2017
mark
zhaiyuyong commentedon Mar 8, 2017
不要玩Weex 快加入饿了么大数据玩spark吧
tuoxie007 commentedon Mar 8, 2017
应该不是技术本身的问题,是使用上尺度太大,审核前后功能差异太大引起的
luoei commentedon Mar 8, 2017
Huang-Libo commentedon Mar 8, 2017
淘宝 APP 不是大量使用了 weex 吗, 难道要全换成原生的?
22 remaining items