search

magicalpanda / MagicalRecord

Super Awesome Easy Fetching for Core Data!
Other
10.8k stars 1.79k forks source link

warning: code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval #1292

Closed Coeur closed 7 years ago

Coeur commented 7 years ago

Like many people, I received this today:

Dear Developer,

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review

But I do not use Rollout.io, I do not use JSPatch, I do not use weex: incubator-weex or weex-devtool-iOS, I do not use javascript or javascript frameworks like React Native or Ionic, I do not use any of the quoted methods in my Swift 3 app.

The only dependency that I use with a performSelector in its source is... MagicalRecord. Here is the list of all what I use:

pod 'MagicalRecord', '~> 2.3'
pod 'AFNetworking'
pod 'AdobeMobileSDK', '~> 4.13'
pod 'SSZipArchive', '~> 1.6'
pod 'TSMarkdownParser', :git => 'https://github.com/laptobbe/TSMarkdownParser.git', :branch => '3.x'
pod 'Toaster', '~> 2.0'
pod 'SwiftLint', '~> 0.16'
#(And [OpenEars](https://www.politepix.com/openears/))

Is it possible to provide a version of MagicalRecord without performSelector?

Coeur commented 7 years ago

My apologies. We had a non-pod dependency on Amap that I didn't notice earlier, and Amap just acknowledged using JSPatch.