之前開發(fā)者都收到了蘋果2017年的新開發(fā)者審核協(xié)議更新通知。

2017年3月8...注意..是女神節(jié)這天。大量開發(fā)者收到了被拒絕 被警告的郵件，內(nèi)容如下：

Dear Developer,

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.

Best regards,

App Store Review

蘋果審核協(xié)議中有這樣一節(jié)：

Apple Developer Program License Agreement

3.3.2 An Application may not download or install executable code. Interpreted code may only be

used in an Application if all scripts, code and interpreters are packaged in the Application and not

downloaded. The only exception to the foregoing is scripts and code downloaded and run by Apple's builtin WebKit framework, provided that such scripts and code do not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.

App Store Review Guideline

2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps.

隨后JSPatch群里 ，github上都炸了鍋 ：https://github.com/bang590/JSPatch/issues/746

react-native 的情況：https://github.com/facebook/react-native/issues/12778

Weex ：:https://github.com/alibaba/weex/issues/2875

為什么突然爆發(fā)

突然爆發(fā)并非偶然,蘋果的審核指南一直明確，禁止下載可執(zhí)行代碼，雖然JSPatch等庫使用了JavaScriptCore來巧妙的實(shí)現(xiàn)，但也不是長(zhǎng)久之計(jì)，很多開發(fā)者不自覺的使用其來下發(fā)私有方法等等行為遲早會(huì)被蘋果發(fā)現(xiàn)。也極大的威脅到了極其注重安全的蘋果

再有就是一切涉及到網(wǎng)絡(luò)的都會(huì)有安全的風(fēng)險(xiǎn)

還有一個(gè)有意思的事實(shí),昨天VS2017發(fā)布，號(hào)稱內(nèi)置iOS模擬器,直接開發(fā)React Native：

總結(jié)下波及到的庫

rollout，react native，weex，JSPatch，bugtags，個(gè)推 ,bugly with hotfix

為什么沒使用熱更新會(huì)收到郵件

個(gè)人認(rèn)為蘋果是批量掃描runtime并且群發(fā)的，蘋果沒辦法批量檢測(cè)remote script(遠(yuǎn)程腳本下載)

所以機(jī)智的檢測(cè)熱更新可能使用到的runtime方法，比如method_exchangeImplementations。這樣基本全覆蓋了那些使用熱更新的APP。

警告"下載腳本代碼且使用runtime方法實(shí)現(xiàn)的的APP"下一個(gè)版本改掉，如果不改。有可能被下架被拒絕上架。

JSPatch是"下載腳本代碼且使用runtime"，并不是針對(duì)JSPatch一個(gè)庫

rollout，react native，weex都會(huì)有這種提示。

bugtags ，個(gè)推 這種看似沒有熱更新的其實(shí)內(nèi)部集成了JSPatch等庫，也會(huì)有這種提示

Runtime不能繼續(xù)用了?

個(gè)人認(rèn)為原生代碼中使用runtime還是沒問題，只是為了提醒那些使用了runtime并且下載遠(yuǎn)程腳本改變app行為的人。

如果蘋果把runtime變成私有方法或去掉.那么Objective-C的優(yōu)勢(shì)大大的沒有了.....

文章出處（http://www.skyfox.org/apple-2017-hot-patch.html）