[caption id="attachment_139213" align="aligncenter" width="1783"]
Apple WWDC 2016[/caption] Apple has begun cracking down on app developers who update apps outside of the normal review process, sending reminder messages that it's against the rules. Specifically, Apple says SDKs that allow a developer to fix bugs or other issues without re-submitting to the App Store violate the App Store Review Guidelines
, section 2.5.2, which states: “Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps.” In its letter
to one developer, Apple clarified the issue:
This includes any code which passes arbitrary parameters to dynamic methods such as
dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.
The apps made by that developer use an SDK called Rollout
, which lets developers fix bugs after
deployment, but without
Apple, Security and Rollout
In poking through the comments associated with the letter posted to Apple’s developer forums, it seems this issue is contained to Rollout. So far, we haven’t seen letters sent to developers from Apple regarding other SDKs with similar functionality. Rollout says it’s aware of the problem, and is pursuing a fix. In an emailed statement, CEO Erez Rusovsky stated: “While Apple has not modified its guidelines, it appears that these guidelines are now being interpreted in a more restrictive way. "We are disappointed that Apple has made this change before we have had an opportunity to address any concerns,"Rusovsky added. "We have already reached out to Apple and are committed to adjusting our offering as needed to remain in compliance under the more restrictive interpretation of the guidelines.” If that wasn't enough, Rusovsk added
The Solution? Swift (and Objective-C)
‘Hot code push’ services are like slingshots full of code lobbed into Apple’s famed walled garden. They were always against the rules; why Apple has decided to enforce it now is beyond our scope, but it shouldn’t be surprising.
Though React Native has a ton of upside, it’s often billed as something that allows developers to update their apps without going through the review process. That’s a touch misleading; it’s actually third-party tools that do that, not
React Native itself. Apple isn’t going after a language, just tools that sidestep the rules. This line-in-the-sand from Apple has everything to do with security, and services similar to Rollout should expect the ban-hammer to fall on them, as well. Apple has made efforts to accelerate the app review process, which may have been a precursor to this. (It’s hard to ask developers to use a process that was severely bottlenecked.) The only real solution is Swift, and using Apple’s own services and methodology. Even if Apple launches a safer version of ‘hot code push’ at WWDC, it will undeniably lean into Swift and Objective-C libraries, and encompass Apple’s own best-practices. In the Apple Developer Program License Agreement, section 3.3.2, we get a different take on the kerfuffle regarding Rollout, and where Apple may make concessions down the road for its own tooling:
If something Rollout-ish were to launch at WWDC, it’d have to bring some of the macOS concessions to iOS so developers could roll out non-executable code changes without seeing App Store review. It’s not clear where in the sand Apple would draw that
particular line, but given the popularity of services that allow continuous integration, it would be welcome by developers in attendance. But like all things Apple, security won’t take a backseat, even if it means forcing developers to update apps like it’s 2009. Rollout seems to have made some concessions on security, and Apple caught up with it. While handy, those services can lead to exploitation, so it’s best to stick to approved methods – even if they are less exciting.