search

microsoft / react-native-code-push

React Native module for CodePush
http://appcenter.ms
Other
8.95k stars 1.46k forks source link

App Store Rejected - Guideline 2.3.1 - Performance #2680

Closed dudu-hinet closed 2 months ago

dudu-hinet commented 6 months ago

Steps to Reproduce

  1. Submitted to App Store Connect

Actual Behavior

Rejected with:

Guideline 2.3.1 - Performance

The app contains hidden features.

Next Steps

  • Learn more about accurate metadata requirements in guideline 2.3.1.
  • Revise the app to follow these requirements.
  • Once the app is fully compliant, resubmit the app for review.

Reproducible Demo

CodePush.js:

import CodePush, { DownloadProgress, LocalPackage, RemotePackage } from "react-native-code-push";
CodePush.allowRestart();
export const upgrade = () => {
    CodePush.sync({
        deploymentKey: "CodePushKey",
        installMode: CodePush.InstallMode.IMMEDIATE
    }, (status: CodePush.SyncStatus) => {
        ...
    }, (progress: DownloadProgress) => {
        ...
    }, (update: RemotePackage) => {
        ...
    }
}

The binary does not go to upgrade actually since it is the latest version.

Environment

(The more info the faster we will be able to address it!) I removed all CodePush package and re-submit again, and it is passed. I wonder that Apple does not accept CodePush at all without giving any clue.

dudu-hinet commented 5 months ago

Apple reply with more information:

Guideline 2.5.2 - Performance - Software Requirements

Your app, extension, or linked framework appears to contain code designed explicitly with the capability to change the app’s behavior or functionality after App Review approval.

This code, combined with a remote resource, can facilitate significant changes to the app’s behavior compared to when it was initially reviewed. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes. This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior and/or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of the app.

Next Steps

We look forward to reviewing your resubmitted app.

Best regards,

App Review

karam1ashqar commented 4 months ago

@dudu-hinet how did you let them give you more information? it's been a week and they say "The app contains hidden features. ", and I don't even use anything like code-push or something similar

dudu-hinet commented 4 months ago

I just replied to ask more information. They would response in 1 day.

heydavee commented 4 months ago

Did they response? @dudu-hinet

itheadskm commented 3 months ago

@dudu-hinet any update in this issue?

rhayart commented 3 months ago

Does this mean that we can no longer use Code Push on iOS ?

itheadskm commented 3 months ago

Does this mean that we can no longer use Code Push on iOS ?

I think so.

pyr0hu commented 3 months ago

Does this mean that we can no longer use Code Push on iOS ?

No, the Developer Program License STILL allows interpreted code:

https://developer.apple.com/support/terms/apple-developer-program-license-agreement/#b331

Interpreted code may be downloaded to an Application but only so long as such code: (a) does not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store, (b) does not create a store or storefront for other code or applications, and (c) does not bypass signing, sandbox, or other security features of the OS.

See README.md of the repo.

DmitriyKirakosyan commented 2 months ago

@dudu-hinet, as @pyr0hu mentioned, there have been no changes to the Apple Developer License Agreement, so CodePush is still permitted. Please ensure that you are not using CodePush to make significant changes to your app's behavior or user experience.

Closing this issue.