起因是这样,apple 产品开发者常常使用一套Rollout.io的第三方服务进行
hot code push(类似俗称的hotfix)
但在3/7有许多apple开发人员发现他们的app被无预警下架并收到类似讯息
"Your app, extension, and/or linked framework appears to contain code
designed explicitly with the capability to change your app’s behavior or
functionality after App Review approval, which is not in compliance with
section 3.3.2 of the Apple Developer Program License Agreement and App Store
Review Guideline 2.5.2. This code, combined with a remote resource, can
facilitate significant changes to your app’s behavior compared to when it
was initially reviewed for the App Store. While you may not be using this
functionality currently, it has the potential to load private frameworks,
private methods, and enable future feature changes.
This includes any code which passes arbitrary parameters to dynamic methods
such as dlopen(), dlsym(), respondsToSelector:, performSelector:,
method_exchangeImplementations(), and running remote scripts in order to
change app behavior or call SPI, based on the contents of the downloaded
script. Even if the remote resource is not intentionally malicious, it could
easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a
serious security vulnerability to users of your app.
Please perform an in-depth review of your app and remove any code, frameworks,
or SDKs that fall in line with the functionality described above before
submitting the next update for your app for review."
大意上是说,因为开发者的程式码内有违反"当前"开发者条款和上架条款而暂时下架,
希望开发者能够针对这个部分进行修正
稍后,Rollout.io便对此提出的说明:
https://9to5mac.com/2017/03/08/rollout-hot-code-push-policy-shift/
然而,在开发者们等待Rollout.io提出解决方案时,事情又有新的进展:
https://rollout.io/blog/open-letter-to-apple-secure-javascript-injection-ios/
3/13 Rollout向开发者释出未来可透过苹果的Live Update Service Certificate服务
进行hot code push的可能性