Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Begins Rejecting Apps With 'Hot Code Push' Feature (apple.com)

Posted by msmash on from the assuming-control dept.

Apple has long permitted "hot code push", a feature that allows developers to continuously deploy changes to their mobile apps and have those changes reflect in their apps instantly. This allowed developers to make quick changes to their apps without having to resubmit the new iteration and get approval from the Apple Store review team. But that's changing now. In response to a developer's query, Apple confirmed that it no longer permits "hot code push." The company told the developer: Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app's behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app's behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

15 of 149 comments (clear)

  1. Yea but they don't by Anonymous Coward · · Score: 2, Interesting

    As someone who has worked on ios apps big and small, I will tell you the rules for big orgs are not the same vs small. If they want to "hot push" (ghey btw) a scheduled event in Disney Kigndoms, apple won;t say shit. If you want to "hot push" (ghey btw) an update to some pixel avatar app with 3 users, you get rejected.

    1. Re:Yea but they don't by queazocotal · · Score: 2

      What?
      Of course they don't.
      You make a new version of the app with all the content a week or whatever before, and allow it to get through whatever review process there is. At a known time, your app starts using those features.

  2. Pray I don't change it again by H3lldr0p · · Score: 2, Insightful

    Seriously, unless you're part of a big corp with big corp lawyers and money behind you why develop for Apple? You have to buy your way into their walled garden, give up a significant portion of sales to them, and be put through an obscured process to get approval to be published in a store. Which, if you're lucky enough to hit on something that's both novel and popular, is going to fill up with a bunch of clones within days of the first hint of success.

    If you're not doing it for the fun of being repeatedly punched in the face, what are you doing it for?

    1. Re:Pray I don't change it again by mccalli · · Score: 4, Informative

      Money. You're doing it for money, and that's where the app revenues are.

    2. Re:Pray I don't change it again by rworne · · Score: 5, Insightful

      Let's see:

      I'm a one man shop that does App development as a hobby while simultaneously maintaining a full time job. Having someone handle 24/7 hosting and billing and a sort of rudimentary QA on the final product (so the users will trust it better) is something of value. In many cases, costs and time would be prohibitive for a new, small shop to do all these things itself. So they do something for that 30% other than rubber stamp it.

      Also, $99 is a pittance - how much do dev kits from Nintendo, Sony and Microsoft cost?

      Now another poster pointing out that the rules are different for larger companies that develop on Apple's platform - yes they are. I see competing apps that violate the backgrounding policies (for good reasons) that I could never get away with if I tried.

      One example is playing silent audio while streaming via DLNA from the iOS device to prevent the OS from putting the app to sleep after 10 minutes or so. A big company just does it and has done it for years without consequence. Another small developer in my niche needed to do this as well, but was forced by Apple to remove it unless there was a specific function for it. So the developer instead added a useless "visualizer" that made graphic effects to music picked up by the microphone which is then put in the background and hidden - just to get around the rules. I have not added DLNA streaming yet because of these headaches.

      --
      I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
    3. Re:Pray I don't change it again by Orphis · · Score: 4, Insightful

      How much is an Apple computer? You can't compare the cost of the license without taking into account the hardware required.

    4. Re: Pray I don't change it again by rworne · · Score: 2

      The Mac is a general purpose computing device. The dev tools (Xcode) are free. Yes, owning a Mac is a barrier to entry, same as a PC would be for other development targets, but Macs and PCs have many other uses aside from development.

      You can write iOS apps at zero cost to you and test them in a decent simulator on the Mac. If you think you have something, you can then fork over the $99 and put it on the App Store. If you own a PC instead of a Mac, then the cost of entry is based on your personal choice of computer and your target market. Obviously Android or Microsoft targets are more cost-effective for you if you run Windows, not so much for me (aside from Android).

      --
      I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
  3. Surprised by tonyyeb · · Score: 4, Insightful

    Surprised they ever allowed developers to do this? Surely in defiance of the objective of it being checked in the first place if you can just change it once approved.

  4. Recipe for disaster by JustAnotherOldGuy · · Score: 5, Interesting

    "Apple has long permitted "hot code push", a feature that allows developers to continuously deploy changes to their mobile apps and have those changes reflect in their apps instantly. This allowed developers to make quick changes to their apps without having to resubmit the new iteration and get approval from the Apple Store review team."

    Is it just me or does this seem like a recipe for disaster, ripe for abuse in the worst possible ways? And not just by the developer, but by anyone who hacks the developer's tool chain or system.

    In other words, you could push the most intrusive, malevolent, destructive code to a user's device at will with no oversight.

    Who thought having this capability was a good idea?

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Recipe for disaster by Anubis+IV · · Score: 3, Informative

      Hot fixes such as this should be limited to enterprise apps only - i.e. apps that don't affect the world.

      Was the hot fix permitted for all apps or just enterprise apps? If the former, then it should be definitely be removed.

      Enterprise apps don't have to go through the review process because they aren't in the App Store in the first place. They're distributed privately, with the enterprise signing each app using a cert and each employee's device being configured to accept apps signed by that cert. Updates can be deployed directly to employee devices, as a result.

      As for apps using this feature, I know that a variety of games download content updates outside of the App Store, though if I had to guess, I'd wager that when Plants vs. Zombies 2 and Final Fantasy Record Keeper say they're downloading new content, it's just a package of art assets and the like that the existing executable knows how to parse. If it is arbitrary code, however, I'd also wager that I'll suddenly see those games issuing a lot more frequent updates, given that FFRK pushes out content updates 1-2 times per week as it is.

    2. Re:Recipe for disaster by thomn8r · · Score: 2

      In other words, you could push the most intrusive, malevolent, destructive code to a user's device at will with no oversight.

      It's called Windows Update

  5. They are worried about the CIA by jafiwam · · Score: 3, Insightful

    Seems like the timing of this might be related to the information released by WikiLeaks about what the CIA has been doing. Being able to get into just about any mobile or IoT device for example.

  6. Developers care about eating by mveloso · · Score: 2

    You can't eat open source revenues. Most of the open source devs work for some corp or another, after all.

  7. I see that... by BronsCon · · Score: 2, Interesting

    Apple is finally closing the back door that allowed malware to get passed the app review process, though they won't admit that's why. I can talk about it now that it's finally being fixed, I'm just astonished that it's taken them this long!

    And all of you thought I was crazy for saying it was possible.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  8. Edgy fucks always ruin it for everybody by 0xdeadbeef · · Score: 2

    It is apparently in response to something called Rollout.io, and looking at what it does, holy fucking hell, how the fuck has such a thing existed as long as it has, and why did those dumb fucks think Apple would be cool with them hot-patching code?

    What concerns me is

    This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI [sic],

    which means no method swizzling and no introspection, which is absurd. You can't even implement many idiomatic Objective-C patterns without respondsToSelector. Maybe the key is "arbitrary parameters", though in that case, they should be looking for calls to NSSelectorFromString, not these methods.

    This is also seems to rule out calling a web service through a JavaScript front-end published by the server. And hell, most jailbreak checks call dlopen. Apple will be screwing over anti-cheat and anti-piracy techniques so they can enforce their own security theater.