React-native-code-push: My app has been rejected by App Review team

I don't understand why you think the rejection is linked to react-native-code-push, since the two paragraphs you mentioned are not related to it.

Hey, are you sure the reason of your app rejection is due to CodePush? Did you use packages that relates with JSPatch? You can refer to this previous issue.

Could you also please add the other libraries that you are using in your app ?

@kelset @buptkang @axemclion

Hello guys,

I reported the issue here did not mean I think the rejection is caused by CodePush, just because I noticed that some developers received warning email from Apple, seems like hot fix is not allowed from the middle of 2017, so I'm not sure whether CodePush is also not allowed, hence the issue (or question) here to get more information from community.

Yeah I saw the issue @buptkang provided, but I'm not sure which package included something like JSPatch. The only libraries I added from last summit to App Store, are react-native-search-bar, react-native-blur and react-native-gifted-chat.

"apsl-react-native-button": "3.0.1",
"es6-symbol": "3.1.1",
"lodash": "4.17.4",
"md5": "2.1.0",
"moment": "2.10.6",
"react": "15.4.2",
"react-native": "0.42.2",
"react-native-blur": "3.1.3",
"react-native-checkbox": "1.0.15",
"react-native-code-push": "1.16.1-beta",
"react-native-gifted-chat": "0.1.4",
"react-native-image-crop-picker": "0.12.9",
"react-native-image-progress": "0.6.0",
"react-native-keyboard-aware-scroll-view": "0.2.5",
"react-native-message-bar": "1.6.0",
"react-native-progress": "3.2.0",
"react-native-scrollable-tab-view": "0.6.0",
"react-native-search-bar": "3.0.0",
"react-native-side-menu": "0.20.1",
"react-native-vector-icons": "4.0.0",
"react-redux": "4.4.1",
"redux": "3.3.1",
"redux-actions": "1.2.1",
"redux-saga": "0.12.0"

I found here is an issue https://github.com/react-native-community/react-native-blur/issues/125, I will leave comment there to see whether it's the root cause.

just because I noticed that some developers received warning email from Apple

Can you link/clarify where did you hear about this?

I'm not sure whether CodePush is also not allowed

It is, there is a whole section of the README about it.

Moreover, the two paragraphs you mentioned are not related to codepush's functionality imho.

@kelset - so, the rejection reason I received from App is,

Guideline 2.3.1 - Performance

We discovered that your app contains hidden features.

You will experience a delayed review process if you deliberately disregard the App Store Review Guidelines, ignore previous rejection feedback in future app submissions, or use your app to mislead or deceive users.

Important Information

As a result of violating this guideline, your app’s review has been delayed. Future submissions of this app, and other apps associated with your Apple Developer account, will also experience a delayed review. Deliberate disregard of the App Store Review Guidelines and attempts to deceive users or undermine the review process are unacceptable and is a direct violation Section 3.2(f) of the Apple Developer Program License Agreement. Continuing to violate the Terms & Conditions of the Apple Developer Program will result in the termination of your account, as well as any related or linked accounts, and the removal of all your associated apps from the App Store.

We want to provide a safe experience for users to get apps and a fair environment for all developers to be successful. If you believe we have misunderstood or misinterpreted the intent of your app, you may submit an appeal for consideration or provide additional clarification by responding directly to this message in Resolution Center in iTunes Connect.

Guideline 2.5.2 - Performance - Software Requirements

Your app, extension, or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with App Store Review Guideline 2.5.2 and section 3.3.2 of the Apple Developer Program License Agreement.

This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes. This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior and/or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Important Information

As a result of violating this guideline, your app’s review has been delayed. Future submissions of this app, and other apps associated with your Apple Developer account, will also experience a delayed review. Deliberate disregard of the App Store Review Guidelines and attempts to deceive users or undermine the review process are unacceptable and is a direct violation Section 3.2(f) of the Apple Developer Program License Agreement. Continuing to violate the Terms & Conditions of the Apple Developer Program will result in the termination of your account, as well as any related or linked accounts, and the removal of all your associated apps from the App Store.

We want to provide a safe experience for users to get apps and a fair environment for all developers to be successful. If you believe we have misunderstood or misinterpreted the intent of your app, you may submit an appeal for consideration or provide additional clarification by responding directly to this message in Resolution Center in iTunes Connect.

Regarding 2.3.1, it seems that App Review team didn't use my app in right way, since I didn't provide same account and password as same as the one in the 5 screenshots I provided for submit. I have already sent email to App Review team for more explanation.

Regarding 2.5.2, if we google the first sentence Your app, extension, or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, most the result I got have a keyword 热更新(hot push) (I'm in China so most of the result are in Chinese) and some of the result mentioned many developers received email from Apple (for example, 很多iOS 开发者收到Apple 警告邮件，是要全面封杀热修复方案吗？, it means many iOS developers received warning emails from Apple, does it mean hot push will be completely prohibited ?). I know this does not means ok, since I used CodePush, and I can use it for hot push, so the rejection is caused by it, but hot push has been mentioned in search result indeed, hence the issue here (not means it's a bug or defect, I think it's most like question). I also read through the README.md section you provided, and I did not use updateDialog.

componentDidMount() {
    // hot push
  AppState.addEventListener('change', this.handleAppStateChange);

  CodePush.sync({ installMode: CodePush.InstallMode.ON_NEXT_RESUME });
}

componentWillUnmount() {
  AppState.removeEventListener('change', this.handleAppStateChange);
}

handleAppStateChange(appState) {
  if (appState === 'active') {
    CodePush.sync({ installMode: CodePush.InstallMode.ON_NEXT_RESUME });
  }
}

Any questions please let me know.

Closing this for now as the rejection appears to attributed to the use of react-blur which accesses private API's. If you remove this package, resubmit and still are denied please reopen and we will continue the discussion.

@pniko - I want to try what you mentioned, but I got latest update from App Review team,

Hello,

Thank you for your attention to this matter. While not related to the use of React Native itself, we found your app has a framework with functionality for dynamic functionality updating. It would be appropriate to revise or remove any such features from your app.

We appreciate your efforts to comply with the App Store Review Guidelines, and we look forward to reviewing your resubmitted app.

Best Regards,

App Store Review

Using private API was not mentioned, and if rejection was due to private API, the guideline I violated would be 2.5.1 (https://developer.apple.com/app-store/review/guidelines/), not 2.3.1 and 2.5.2 I think.

Anyway, I replaced react-native-blur with blur image directly just now but keep CodePush in my app, then submit to App Store.

I will let you know the result.

Thanks for the input @just4fun. We'll lookout for your followup once you get the results of your latest submission.

So, my new submission is still In Review for almost one month after I removed react-native-blur from my app.

I sent an email to App Review team, I got such reply just now.

Thanks for your reply.

As per the latest rejection message from September 1, 2017:

Hello,

Thank you for your attention to this matter. While not related to the use of React Native itself, we found your app has a framework with functionality for dynamic functionality updating. It would be appropriate to revise or remove any such features from your app.

We appreciate your efforts to comply with the App Store Review Guidelines, and we look forward to reviewing your resubmitted app.

Furthermore we would like to let you know that we are unable to provide a timeframe for the review of your app, “清水河畔 - stuhome.”

Regrading the framework with functionality for dynamic functionality updating, not sure whether it's react-native-code-push.

Hey @pniko , here is result for my latest submissions.

As you see, the first rejection on 30 Aug (the time I created this issue) was involved both react-native-blur and react-native-code-push, so I removed react-native-blur who has private API (https://github.com/just4fun/stuhome/commit/afb416a01be679e682a74c5ebc3e42cfdef688c3).

For the second rejection on 15 Oct, there was only react-native-code-push, and I got same rejection reason from App Review team like my last comment in this issue above.

Then I removed react-native-code-push (https://github.com/just4fun/stuhome/commit/efdc616674e967f88a19212e4355584bb990b96a) and re-submitted my app on 29 Oct. Finally, it's ready for sale yesterday.

According to the case I faced and the rejection reason from Apple team, I'm not sure whether it indicates that react-native-code-push is not allowed, but could you have a look whether I was using this library in wrong way (https://github.com/just4fun/stuhome/commit/efdc616674e967f88a19212e4355584bb990b96a), or has this famous library already been forbidden by Apple?

If you need more information about my app, please let me know.

BTW, it seems that I have no access to the re-open button for this issue.

Hey @just4fun thanks for keeping this issue updated.
It's quite weird, tbh, that you are getting so many troubles for code-push. I've recently submitted the new version of our app and it got rejected 3 times but never for code-push related issues. Maybe it's related to the market you are developing your app for? 🤔

@kelset I don't know.

I want to involve code-push into my next release, let's have a look then.

I've been an iOS Native Developer for more than 5 years already. What this framework does is super prohibited in the App Store guidelines, really. Apps that has this framework are lucky to still be in the Appstore. Apple care too much about the risk of an app with behavior or UI changing on the Appstore. Let's say that you upload a app that let's you tweet, super simple, and it gets approved on the App Store. The next day you just change the whole jsBundle cause you want to have a porn app, and now teenagers who downloaded your "twitter app" have a porn app in their phones... See what I mean? It's not about what you do, but what you're able to do. Check https://github.com/Microsoft/react-native-code-push#store-guideline-compliance

What this framework does is super prohibited in the App Store guidelines, really.

That's not true. At all. And there's a section in the README dedicated to explaining it deeply.

Let's say that you upload a app that let's you tweet, super simple, and it gets approved on the App Store. The next day you just change the whole jsBundle cause you want to have a porn app, and now teenagers who downloaded your "twitter app" have a porn app in their phones... See what I mean?

That's the only scenario they prohibit.

You can use CP without worries as long as you use it properly for OTA updates of the app you got approved.

@davidvpe I can assure you that CodePush is safe. @kelset is right! I highly recommend checking out the link above. 😊.