JavaScript Injection Approval Process for IOS
rollout.ioSorry, but rollout.io knew the rules and got caught red-handed.
Do developers wish for a solution to circumvent Apples review process for "updates and bug fixes"? Maybe. Should users be happy about a "solution" that allows developers to manipulate the behavior of apps without any consent from the user and any review process at all, just by opening the app? I really don't think so.
I'm not happy with the "solution" rollout.io and others created and stop using/buying any app that I know is actively using these frameworks. Dynamically loading content is fine, modifying the app logic is not and can potentially lead to theft of user data, ad injection or even adding IOS devices to bot nets while the app is running.
Actually, Rollout is compliant with Apple guidelines. More details here: https://rollout.io/blog/updating-apps-without-app-store/
I'm not going to argue regarding the potential security issues of using a solution like Rollout or CodePush, but I do think Apple should have done a better job at communication.
Dave Verwer from iOS Dev Weekly said it much better than I can:
"We still only have anecdotal evidence on what has actually happened and while that continues both the creators of these tools, and the developers who are using them are left in this difficult/impossible situation of not knowing what's going to happen to their apps. It'll probably take a couple of weeks to see full impact of this, and I really feel do for you if you have an app that's being affected by the changes.
People build businesses on the App Store and to have the possibility of changes like this being enforced with zero notice after years of them being fine on the App Store is completely unacceptable in that situation. If this change is intentional (which we can only assume it is) then it should have come with a detailed description of what's happening and a notice period to give app owners a chance to react and continue to run their apps.
Apple can definitely do better at handling situations like this.
Dave Verwer"
Taken from https://iosdevweekly.com/issues/291#start
FYI, I work for Rollout
What do you think happen with all hybrid platforms ? I.e react native, Cordova, ionic , other , they all load js assets remotely.
Even w/o hybrid platform, developers today are loading js assets remotely, and basically inject new code - All THE TIME.
what Apple did is just flagging the ones that are most upfront about it, but everyone can do it, hence the rollout suggestion IMHO
This is exactly what we are referring to in the suggestion
Also, just saw this (see below), another example of JS injection using CodePush (by MSFT) and RN, Apple seems to fine with this....doesn't this have them same security issue?
Not that it really matters but the platform we use does a codepush, exactly like rn, does not mess with object c etc and was flagged, removing said feature still gets flagged and ios will not reply back, it's very frustrating
Must have.
Awesome. Thank you!
Nailed it!