澳门新葡亰网址下载Apple禁止热更新

by admin on 2020年4月17日

文章来源:COCOS
公众号澳门新葡亰网址下载,,作者
@王哲Walzer

开发者都收到了苹果2017年的新开发者审核协议更新通知。

随着昨天各个社区的推进,苹果对热更新警告邮件的问题所在,看起来已经比较清晰了。

2017年3月8…注意..是女神节这天。大量开发者收到了被拒绝
被警告的邮件,内容如下:

React Native有人昨天刚通过AppStore审核:

Dear Developer,

澳门新葡亰网址下载 1

Your app, extension, and/or linked framework appears to contain code
designed explicitly with the capability to change your app’s behavior
or functionality after App Review approval, which is not in
compliance with section 3.3.2 of the Apple Developer Program License
Agreement and App Store Review Guideline 2.5.2. This code, combined
with a remote resource, can facilitate significant changes to your
app’s behavior compared to when it was initially reviewed for the App
Store. While you may not be using this functionality currently, it
has the potential to load private frameworks, private methods, and
enable future feature changes.

Cocos社区里虽然绝大多数开发者没有收到警告邮件,但整体情绪比较恐慌。好消息是在Cocos论坛上,有开发者表示他的Lua游戏昨天刚过审:

This includes any code which passes arbitrary parameters to dynamic
methods such as dlopen(), dlsym(), respondsToSelector:,
performSelector:, method_exchangeImplementations(), and running
remote scripts in order to change app behavior or call SPI, based on
the contents of the downloaded script. Even if the remote resource is
not intentionally malicious, it could easily be hijacked via a Man In
The Middle (MiTM) attack, which can pose a serious security
vulnerability to users of your app.

澳门新葡亰网址下载 2

Please perform an in-depth review of your app and remove any code,
frameworks, or SDKs that fall in line with the functionality
described above before submitting the next update for your app for
review.

目前最全的进度搜集,应该是JSPatch仓库里的这个issue:

Best regards,

澳门新葡亰网址下载 3

App Store Review

同时还有第三方SDK的情况解决进度列表:

苹果审核协议中有这样一节:

澳门新葡亰网址下载 4

Apple Developer Program License Agreement

目前重灾区是JSPatchRollout.io这两个框架,貌似是100%收到警告邮件无一幸免。

3.3.2 An Application may not download or install executable code.
Interpreted code may only be

Rollout.io的CEO在Hack News论坛里面洗地,结果被无数开发者喷成翔:

used in an Application if all scripts, code and interpreters are
packaged in the Application and not

澳门新葡亰网址下载 5

downloaded. The only exception to the foregoing is scripts and code
downloaded and run by Apple’s builtin WebKit framework, provided that
such scripts and code do not change the primary purpose of the
Application by providing features or functionality that are inconsistent
with the intended and advertised purpose of the Application as submitted
to the App Store.

其他具备JS热更新能力的React
Native、Weex等虽然社区里有所讨论,但基本已经被排除是自身问题导致。昨天我文章里提到的苹果和微软互怼导致React
Native中枪的网友猜测,看起来并不成立。
我也联系了阿里Weex的勾三股四,他那边也只是社区里有所讨论,实际情况还好。Cocos社区里也有小部分开发者收到警告邮件,但一般都是因为集成的第三方SDK如友盟、个推或者直接集成了JSPatch导致。

App Store Review Guideline

昨天国内外各家受波及的公司如BugTags、个推、高德等都纷纷更新SDK、或者推出临时解决方案。这事也很好地考验了各家中间件公司的公关、客服和技术研发实力。

2.5.2 Apps should be self-contained in their bundles, and may not read
or write data outside the designated container area, nor may they
download, install, or execute code, including other iOS, watchOS, macOS,
or tvOS apps.

当然其中也有比较痛苦的,比如React
Native的维护者昨天一定很吐血,在那个issue下面删除了上百个来自中国开发者的【mark】,【
+1】等无意义回复。话说大家出门还是要遵守社区的交流规则,不要在国际开源社区里留下不好的群体形象。

随后JSPatch群里 ,github上都炸了锅
:https://github.com/bang590/JSPatch/issues/746

我昨天也一直关注事态进展,很是担心Cocos社区的Lua和JavaScript用户受到牵连。昨晚我在微信上问了一圈用Cocos的各大厂商,绝大多数都是『没收到警告邮件,对事情保持关注』。毕竟Cocos有一个大大的引擎runtime在那边,Lua和JS脚本再怎么热更新,也很难脱离出C++
runtime提供的API范围,从而更新成完全不同的另一个游戏。

react-native
的情况:https://github.com/facebook/react-native/issues/12778

在这个节骨眼上,我还是建议大家除非遇到不得已的严重bug,否则还是少用Cocos的热更新功能去更新脚本,老老实实做好版本迭代计划,把脚本和C++
runtime一并打包好,提交给苹果审核。而仅使用热更新功能来下载资源,这是没问题的。

Weex
::https://github.com/alibaba/weex/issues/2875

(文/开源中国)    

为什么突然爆发

突然爆发并非偶然,苹果的审核指南一直明确,禁止下载可执行代码,虽然JSPatch等库使用了JavaScriptCore来巧妙的实现,但也不是长久之计,很多开发者不自觉的使用其来下发私有方法等等行为迟早会被苹果发现。也极大的威胁到了极其注重安全的苹果

再有就是一切涉及到网络的都会有安全的风险

还有一个有意思的事实,昨天VS2017发布,号称内置iOS模拟器,直接开发React
Native:

总结下波及到的库

rollout,react native,weex,JSPatch,bugtags,个推 ,bugly with hotfix

为什么没使用热更新会收到邮件

个人认为苹果是批量扫描runtime并且群发的,苹果没办法批量检测remote
script(远程脚本下载)

所以机智的检测热更新可能使用到的runtime方法,比如method_exchangeImplementations。这样基本全覆盖了那些使用热更新的APP。

警告”下载脚本代码且使用runtime方法实现的的APP”下一个版本改掉,如果不改。有可能被下架被拒绝上架。

JSPatch是”下载脚本代码且使用runtime”,并不是针对JSPatch一个库

rollout,react native,weex都会有这种提示。

bugtags ,个推 这种看似没有热更新的其实内部集成了JSPatch等库,也会提示。

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图