search

bang590 / JSPatch

JSPatch bridge Objective-C and Javascript using the Objective-C runtime. You can call any Objective-C class and method in JavaScript by just including a small engine. JSPatch is generally used to hotfix iOS App.
MIT License
11.37k stars 2.24k forks source link

Apple警告邮件 #746

Closed kunwang0916 closed 7 years ago

kunwang0916 commented 7 years ago

统一回复:关于苹果警告 http://blog.cnbang.net/internet/3374/

@bang590 的回复

今天收到Apple的警告邮件。 应用中使用了JSPatch一段时间了,之前的版本是没有问题的。 而且这个通知邮件也不是在提交更新版本审核过程中收到,而是苹果主动发出的。

Dear Developer,

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review

no-mark unsubscribe
zhiyfly commented 7 years ago

关注ing。

ghost commented 7 years ago

我是集成了,但是没有使用过

发自网易邮箱大师 在2017年03月08日 10:26,Peter.Zheng 写道:

使用RN和Weex有收到吗

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

mgttt commented 7 years ago 
//基础函数
+ (NSString *) btoa:(NSString *)s
{
    // Create NSData object
    NSData *nsdata = [s dataUsingEncoding:NSUTF8StringEncoding];

    // Get NSString from NSData object in Base64
    NSString *base64Encoded = [nsdata base64EncodedStringWithOptions:0];

    // Print the Base64 encoded string
    NSLog(@"Encoded: %@", base64Encoded);
    return base64Encoded;
}

+ (NSString *) base64encode:(NSString *)s
{
    return [self btoa:s];
}

+ (NSString *) atob:(NSString *)s
{
    // NSData from the Base64 encoded str
    NSData *nsdataFromBase64String = [[NSData alloc]
                                      initWithBase64EncodedString:s options:0];

    // Decoded NSString from the NSData
    NSString *base64Decoded = [[NSString alloc]
                               initWithData:nsdataFromBase64String encoding:NSUTF8StringEncoding];
    //NSLog(@"Decoded: %@", base64Decoded);
    return base64Decoded;
}
+ (NSString *) base64decode:(NSString *)s
{
    return [self atob:s];
}

+ (JSContext *) getWebViewJsCtx:(UIWebView *) _webview
{
    //prv api
    NSString *s1 =[self atob:@"ZG9jdW1lbnRWaWV3LndlYlZpZXc="];
    NSString *s2 =[self atob:@"Lm1haW5GcmFtZS5qYXZhU2NyaXB0Q29udGV4dA=="];
    return [_webview valueForKeyPath:[s1 stringByAppendingString:s2]];
}

+ (void) call_o_do_m :(id)ooo :(NSString *)mmm
{
    SEL sel = NSSelectorFromString(mmm);
    if ([(id)ooo respondsToSelector:sel]) {
        ((void (*)(id, SEL))[ooo methodForSelector:sel])(ooo, sel);
    }
}

+ (void) call_c_do_m :(NSString *)ccc :(NSString *)mmm
{
    Class cls = NSClassFromString(ccc);
    SEL sel = NSSelectorFromString(mmm);

    if ([(id)cls respondsToSelector:sel]) {
        ((void (*)(id, SEL))[cls methodForSelector:sel])(cls, sel);
        //((void (*)(id, SEL, NSString *))[cls methodForSelector:sss])(cls, sss, @"local");
    }
}
+ (void) call_c_do_m_1 :(NSString *)ccc :(NSString *)mmm :(NSString *) vvv
{
    Class cls = NSClassFromString(ccc);
    SEL sel = NSSelectorFromString(mmm);

    if ([(id)cls respondsToSelector:sel]) {
        ((void (*)(id, SEL, NSString *))[cls methodForSelector:sel])(cls, sel, vvv);
    }
}
//大概例子
               //prv api
                [self call_c_do_m_1:[self atob:@"V0tCcm93c2luZ0NvbnRleHRDb250cm9sbGVy"]
                                   :[self atob:@"cmVnaXN0ZXJTY2hlbWVGb3JDdXN0b21Qcm90b2NvbDo="]
                                   :@"local"];
                又或
+ (JSContext *) getWebViewJsCtx:(UIWebView *) _webview
{
    //prv api
    NSString *s1 =[self atob:@"ZG9jdW1lbnRWaWV3LndlYlZpZXc="];
    NSString *s2 =[self atob:@"Lm1haW5GcmFtZS5qYXZhU2NyaXB0Q29udGV4dA=="];
    return [_webview valueForKeyPath:[s1 stringByAppendingString:s2]];
}
xks19943 commented 7 years ago

开发者大会吗?

bhltyou commented 7 years ago

@wanjochan 你使用这个方案后 没有收到?

hanhailong commented 7 years ago

Android党强势围观直播...

cdpenggod commented 7 years ago

mark

BestKai commented 7 years ago

+1 ,持续关注

TrustDec commented 7 years ago

react-native-pushy也同样问题,有人在用吗?

ericzhou2008 commented 7 years ago

有没有破解原因,我的APP也被拒了,我们用了JSPath和React-Native技术,这两个技术不能用,多少APP不能上架啊,QQ等腾讯系APP用Lua来修复问题,微信更加是JSPath的发布者

linkdrone commented 7 years ago

用ReactNative技术开发的APP受影响吗?

lynn87 commented 7 years ago

僵住了呀,

MiniJoshua commented 7 years ago

这么一搞 某些大厂不就悲吹了 微信的小程序咋办 RN咋办

bhltyou commented 7 years ago

想知道使用lua的 有没有这个问题

mgttt commented 7 years ago

我解释下,我的例子最主要是呼叫隐藏api之前用一些方法把关键词截断做一些encode,要用的时候解码再用。这个方案是从外网学习的,我从了解完JSPatch原理后就思考过这个风险。这个方案能基本拒绝掉苹果的代码扫描。但是,大家最好后面还是尽量回避隐藏api,因为迟早有一天苹果会在他们的测试机上修改他们的api代码来判定你们有没有呼叫的。这个方案大概也只能撑多一段时间而已。

wenzhaot commented 7 years ago

是时候该出手了

TrustDec commented 7 years ago

同志们,俺们能不能QQ群:416952029

git4jwb commented 7 years ago

mark一下,持续跟踪

One1Light commented 7 years ago

这下子原生开发要笑了,RN和WeeX哭惨

iOSQiao commented 7 years ago

坐等解决方案。

yanglfree commented 7 years ago

看来工作都不够饱和啊

IOSLZZ commented 7 years ago

火钳刘明

qtdc1229 commented 7 years ago

我们公司这边也受到了警告

BrikerMan commented 7 years ago

收到 +1

asasdasasd commented 7 years ago

up up

JasonXue commented 7 years ago

这楼越盖越高。。。苹果可能撤回这个决定么?

openfe-openfe commented 7 years ago

淘宝怎么办,淘宝大量模块都是weex的

wzshare commented 7 years ago

收到两个警告,用了JSPatch

huipengo commented 7 years ago

同样收到邮件啦~

chenxin920 commented 7 years ago

苹果是准备干掉微信么?

KoMiles commented 7 years ago

强势围观。

comlog commented 7 years ago

这个苹果是提倡原生开发,我觉得反而是对我们iOS开发者的保护,机遇和挑战并存

xiaobt commented 7 years ago

难道苹果是担心原生的找不到工作,给我们支的招

wenzhaot commented 7 years ago

个推似乎用了JSPatch

eddy201212 commented 7 years ago

使用了jspatch和RN,暂时没有收到通知

TrustDec commented 7 years ago

weex,RN 收到邮箱警告的来QQ群:416952029说说啊

ghost commented 7 years ago

我同学没用JSPatch也收到了。。。

fanqie commented 7 years ago

太好了 apple 终于要倒闭了,自己给自己挖坟墓也是第一次见,加油🍎

eddy201212 commented 7 years ago

使用了jspatch和RN,暂时没有收到通知使用了jspatch和RN,暂时没有收到通知

jiantao88 commented 7 years ago

mark

lingaoo commented 7 years ago

不过JSPatch确实可以绕过审核。调用私有api等。

coofee commented 7 years ago

如果RN不能开发iOS的话,也就算是废了

dominic-lian commented 7 years ago

mark

Freeza91 commented 7 years ago

前来围观。

Jinzhengxuan commented 7 years ago

使用了JSPatch,暂时没收到邮件

peifeiyang commented 7 years ago

围观

guiyongdong commented 7 years ago

持续关注

mgttt commented 7 years ago

本质上跟 JSPatch无关。是用到私有api的基本都会遇到,迟早的事。做混爻代码只能撑多一段时间。始终走混合结构走不远了

Fanccc commented 7 years ago

还在学RN别这样

geteng commented 7 years ago

苹果要搞死js?