A warning from Apple [resolved, not about React Native]

[XHTeng]

I received a warning from Apple this morning , how to solve it :

Dear Developer,

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

[csbzhixing]

Did anyone receive the warning e-mail?

[tdzl2003]

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts

Imported any framework for crash collections?

[linkdrone]

bang590/JSPatch#746 (comment)

[tdzl2003]

I searched in all code of react native, the only risk which contain "arbitrary parameters to dynamic methods" is:

RCTUtils.m Line 337 & 354

[ide]

From the data points I've heard: the developers who received this email were using a patching framework called Rollout.io (discussion here: https://forums.developer.apple.com/thread/73640). So please double-check to see whether your app is using a framework like that. Reading the message carefully, it's not describing React Native nor what React Native does.

Second, make sure that you aren't using custom, third-party React Native modules that call methods like dlopen() and other method calls like the ones listed in the message.

Last, please use the Subscribe button on GitHub if you wish to follow the conversation but don't have something meaningful to contribute. I'd prefer to leave it open but if the discussion isn't productive we'll have to close this issue and perhaps lock it.

Edit: there is also some discussion that the JSPatch library may be triggering this warning. I don't know if that is actually true or not, but please check all of the libraries that you are using in your apps.

[tdzl2003]

I searched in all code of react native, the only risk which may contain "arbitrary parameters to dynamic methods" is:

RCTUtils.m Line 337 & 354

@ide any idea for this? Could we remove or change these code?

[ide]

@tdzl2003 Thanks for providing the file and line numbers -- those functions (RCTSwapClassMethods and RCTSwapInstanceMethods) are used only internally within React Native and are not exposed to JavaScript, for example. The way React Native uses them for swizzling is the same as any other "regular" iOS app would. It's very normal, accepted, and not something to be concerned about.

[grabbou]

3.3.2 of Apple Developer Program License:

An Application may not download or install executable code. Interpreted
code may only be used in an Application if all scripts, code and interpreters are
packaged in the Application and not downloaded. The only exception to the
foregoing is scripts and code downloaded and run by Apple's built-in WebKit
framework or JavascriptCore, provided that such scripts and code do not change
the primary purpose of the Application by providing features or functionality that are
inconsistent with the intended and advertised purpose of the Application as
submitted to the App Store.

explicitly mentions that:

An Application may not download or install executable code

React Native does none of these. And so, using React Native doesn't expose you to the aforementioned issue.

As @ide mentioned, there are reports this message is addressed to those using Rollout.io. My assumption is that it uses aforementioned methods to patch executable code.

With React Native, you can do so called OTA update, but this is updating Javascript, not native code. Whenever native code changes, you have to make a new release. That OTA update of Javascript code is explicitly allowed in the 3.3.2:

The only exception to the foregoing is scripts and code downloaded and run by Apple's built-in WebKit framework or JavascriptCore

I believe everyone should follow up on this issue with Apple and sort out what's exactly causing the warning.

[tdzl2003]

@ide I know they are safe, but maybe apple's automatic check system may still consider a application use both script downloading AND arbitrary parameters to dynamic methods as a risk?

[brunolemos]

TL/DR:

🚫 Problem: Apps with the lib Rollout.io, JSPatch and similars are being rejected because they can dynamically change Swift / Objective-C code without passing through Apple Review process.

⚠️ Libraries like Code Push only updates JavaScript code and were not affected, at least not yet.

✅ React Native has nothing to do with this problem, don't worry about it.

---

Apple Developer Program License Agreement

This is the updated terms, from March 01st, 2017. No changes related to javascript code update 👍

[chevins]

Good news! My app just passed the review 5 minutes ago. And it contains the 'code-push'. BTW, I don‘t use JSPatch or Bugtags.

[axemclion]

Anyone here using CodePush and had issues with Review ? I am the CodePush PM, so would like to know more if you have run into issues.