起因是這樣,apple 產品開發者常常使用一套Rollout.io的第三方服務進行
hot code push(類似俗稱的hotfix)
但在3/7有許多apple開發人員發現他們的app被無預警下架並收到類似訊息
"Your app, extension, and/or linked framework appears to contain code
designed explicitly with the capability to change your app’s behavior or
functionality after App Review approval, which is not in compliance with
section 3.3.2 of the Apple Developer Program License Agreement and App Store
Review Guideline 2.5.2. This code, combined with a remote resource, can
facilitate significant changes to your app’s behavior compared to when it
was initially reviewed for the App Store. While you may not be using this
functionality currently, it has the potential to load private frameworks,
private methods, and enable future feature changes.
This includes any code which passes arbitrary parameters to dynamic methods
such as dlopen(), dlsym(), respondsToSelector:, performSelector:,
method_exchangeImplementations(), and running remote scripts in order to
change app behavior or call SPI, based on the contents of the downloaded
script. Even if the remote resource is not intentionally malicious, it could
easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a
serious security vulnerability to users of your app.
Please perform an in-depth review of your app and remove any code, frameworks,
or SDKs that fall in line with the functionality described above before
submitting the next update for your app for review."
大意上是說,因為開發者的程式碼內有違反"當前"開發者條款和上架條款而暫時下架,
希望開發者能夠針對這個部分進行修正
稍後,Rollout.io便對此提出的說明:
https://9to5mac.com/2017/03/08/rollout-hot-code-push-policy-shift/
然而,在開發者們等待Rollout.io提出解決方案時,事情又有新的進展:
https://rollout.io/blog/open-letter-to-apple-secure-javascript-injection-ios/
3/13 Rollout向開發者釋出未來可透過蘋果的Live Update Service Certificate服務
進行hot code push的可能性