Apple Begins Rejecting Apps With 'Hot Code Push' Feature

Apple has long permitted "hot code push", a feature that allows developers to continuously deploy changes to their mobile apps and have those changes reflect in their apps instantly. This allowed developers to make quick changes to their apps without having to resubmit the new iteration and get approval from the Apple Store review team. But that's changing now. In response to a developer's query, Apple confirmed that it no longer permits "hot code push." The company told the developer: Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app's behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app's behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

Yea but they don't

As someone who has worked on ios apps big and small, I will tell you the rules for big orgs are not the same vs small. If they want to "hot push" (ghey btw) a scheduled event in Disney Kigndoms, apple won;t say shit. If you want to "hot push" (ghey btw) an update to some pixel avatar app with 3 users, you get rejected.

Recipe for disaster

[JustAnotherOldGuy]

"Apple has long permitted "hot code push", a feature that allows developers to continuously deploy changes to their mobile apps and have those changes reflect in their apps instantly. This allowed developers to make quick changes to their apps without having to resubmit the new iteration and get approval from the Apple Store review team."

Is it just me or does this seem like a recipe for disaster, ripe for abuse in the worst possible ways? And not just by the developer, but by anyone who hacks the developer's tool chain or system.

In other words, you could push the most intrusive, malevolent, destructive code to a user's device at will with no oversight.

Who thought having this capability was a good idea?

I see that...

[BronsCon]

Apple is finally closing the back door that allowed malware to get passed the app review process, though they won't admit that's why. I can talk about it now that it's finally being fixed, I'm just astonished that it's taken them this long!

And all of you thought I was crazy for saying it was possible.

Re:Pray I don't change it again

[BronsCon]

at least I'm not at the mercy of several parties to keep my security and features up to date

No, you're at the mercy of one who left an attack vector you could drive a damn dump truck through open for years. What do you think "hot code push" is? It's a way to push any code you want past Apple's app review process. Submit the code without your malware, then hot-push it after approval.

I've been telling you guys it was possible for years, as well, I just couldn't discuss the details until it was public. Though, on the old slashdot, I never would have had to spell out something so simple and obvious.

The security company I reported it to (you didn't think I would go straight to Apple so they could use my ass, right?) showed me a page from a rather lengthy document they had already compiled regarding the issue and used the promise of seeing the rest of said document to coax me into signing an NDA. Of course, I obliged as I had no intent of making it public myself anyway... and I really wanted to see what apps they had found doing just this (with malware, I mean).

That's still not public yet so, while I can't list specific apps, the fact that it's a non-zero number is obvious enough that I can share it. It's not only non-zero, it's non-trivial, and the average iOS user is bound to have one or more of them installed.

Yes, Apple is going to stop allowing them through the app review process now, but they're not taking down existing apps that use the functionality. If those apps never release an update (or you don't install that update), you remain vulnerable. Again, this is a hole you could drive a truck through; once the truck is there, it's not leaving until it's good and ready to leave.

For the record, I've known of this for four years. The security consultants I spoke with had taken it to Apple two years before I figured it out; which, by the way, took me all of two minutes once I had an iPhone on my hand and started looking into various libraries that exist for iOS development.

The combination of huge and obvious just screams intentional. That Apple already has the ability to push whatever code they want screams state-sponsored. I'm not saying Google is any better with regard to Android, but I also don't have any illusions that they are.

Enjoy your "security".