App Update without Review?

Question

Created Sep ’16

Replies 2

Boosts 0

Views 2.5k

Participants 2

Hi, I was wondering what Apple's CURRENT official stance is on using React Native to allow apps to be updated without going through app review. In React native all app functionality is situated in a .jsbundle which can be reloaded from e.g. a webserver. AppHub makes a wrapper services to make this easy or you can host your own bundle on your http server. This of course bypasses the App Review process & violates at least the spirit of the following rule:

"3.3.2 An Application may not download or install executable code. Interpreted code may only be used in an Application if all scripts, code and interpreters are packaged in the Application and not downloaded. The only exception to the foregoing is scripts and code downloaded and run by Apple's built-in WebKit framework or JavascriptCore, provided that such scripts and code do not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store."

My question: I understand this technique has been *tolerated* for a while now if it's just about pushing new updates to existing apps. This technique was especially useful when long review times were still usual.

My question: is it still advisable to use this technique with sub-1-day review times? Is it worth it? Or is there a risk of trouble / policy changes ahead?

Boost

Answer 1

bob133 OP

Sep ’16

As for the official Apple stance, I'm not sure there is one. I believe they prefer to consider stuff like this on a case-by-case basis.

If you want my opinion, if you're talking about using the native app as simply a container for that interchangeable, executable React content, you're going to be walking on some seriously thin ice. If I understand you correctly, React executes that JavaScript itself, which puts you outside the scope of the whole "The only exception to the foregoing…" clause. With that out of the picture, you cannot download any executable code without being in clear violation of not only the spirit but also the letter of regulation 3.3.2. Also, what about security? What would you do if the host got hacked and someone replaced your legit bundle with something fraudulent or outright malicious?

The best way to solve this problem, in my opinion, is to put several different code pathways inside your app and choose which one you use based on nonexecutable JSON data retrieved from a server. You would have to do a fair amount of planning ahead to make sure that you have code in advance for all the expected changes, but this technique, while maybe not 100% acceptable, is far, far better than downloading executable modules.

0

Answer 2

c1sc0 OP

Sep ’16

@bob: yeah, React Native pretty much means you have a thin native executable (basically a modified AppDelegate) which downloads a .jsbundle from your server & all further app logic/layout is defined from that Javascript bundle. A typical React Native app is just an AppDelegate without views, viewcontrollers, models etc ...

Just wanted to throw in here that I see lots of client interest in "bypassing app review" & just out of curiosity yesterday I made a React-Native app that will appear innocent on first submission & then download a harmful .jsbundle later which allows access to private api methods from within javascript. The reason I'm pushing for an official position from Apple on this is that I think this poses a clear Privacy/Security threat to the user (Think the stuff Youmi did a while back) & is not compatible with the Privacy stance Apple has been taking in public recently.

I understand that technically it will always be possible to download a string-based payload in e.g. JSON & performSelector it but JavscriptCore-based tools like React Native make it really easy to stay completely off App Review's radar with your whole app.

Today's "App Store Improvement Cleanup" announcement makes me think that Apple may want to look into these alternative app update mechanisms since they fundamentally bypass the review process that is in place to guarantee the "quality" of the AppStore.

0