一、禁止JSPatch邮件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Dear Developer,
Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.
This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.
Please perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above before submitting the next update for your app for review.
Best regards,
App Store Review
尊敬的开发者,
您的应用,扩展程序和/或链接框架似乎包含明确设计的代码,能够在应用审核批准后更改应用的行为或功能,这不符合Apple开发人员计划许可协议和应用的第3.3.2节商店审查指南2.5.2。此代码与远程资源相结合,可以帮助对应用程序的行为进行重大更改(与最初对App Store进行审核时相比)。虽然当前可能不使用此功能,但它可能会加载私有框架,私有方法,并支持未来的功能更改。
这包括将任意参数传递给动态方法(如dlopen(),dlsym(),respondingToSelector :, performSelector :, method_exchangeImplementations())和运行远程脚本以便更改应用程序行为或调用SPI的任何代码,下载的脚本。即使远程资源不是故意恶意的,它也可能很容易被劫持通过中间人(MiTM)攻击,这可能对您的应用程序的用户造成严重的安全漏洞。
请对您的应用执行深入审核,并删除与上述功能相符的任何代码,框架或SDK,然后再提交下一个更新以供审核。
最好的祝福,
App Store评论

因为项目中集成了JSPatch,收到邮件时也没想太多,那就去掉呗。

等再次提交时,发现还有问题,再次被打回,收到的邮件如下:

1
2
3
4
5
6
7
Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with App Store Review Guideline 2.5.2 and section 3.3.2 of the Apple Developer Program License Agreement.
This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes. This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior and/or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.
Next Steps
Perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above and resubmit your app’s binary for review.

二、再次审核不通过原因:个推SDK集成了JSPatch

在这儿要小小的吐槽一下个推,在这苹果官方重点审核JSPatch的风口浪尖,集成了JSPatch的个推并未发声。既然集成了,就告知一下用户,集成了个推的APP有可能造成审核不通过,请耐心等待,会尽快处理,在接下来版本中移除JSPatch。移除了以后嘛,也提醒一下用户,去官网更新一下SDK,避免APP审核不通过。而个推呢,只字未提。你想要知道的一切,都得自己去询问官方技术人员。

在这方面,真没高德地图SDK做的好