Realm-js: AppStore review rejected because of 2.5.2 and 3.3.2

Created on 16 Aug 2018 · 9Comments · Source: realm/realm-js

Goals

Our most recent appstore app review was rejected because of 2.5.2 and 3.3.2

Your app, extension, or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with App Store Review Guideline 2.5.2 and section 3.3.2 of the Apple Developer Program License Agreement.
This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes. This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior and/or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Our application is built with ReactNative, and only the realm calls the above method on the native side. (RCTUtils is also called, but it shouldn't be the reason, because there are many applications that use ReactNative and deliver to AppStore).

Is it possible to optimize the realm SDK and remove the above method call?

Version of Realm and Tooling

Realm JS SDK Version: 2.14.2
React Native: 0.53.3
Client OS & Version: iOS
Which debugger for React Native: None

O-Community P-1-Required T-Bug

Source

nsyujian

👍3

All 9 comments

Does the problem also occur in version 2.13.x of realm-js ? (I plan to make a submission to Apple soon 😊)

LeoLeBras on 16 Aug 2018

😕1

@LeoLeBras I don't know

nsyujian on 16 Aug 2018

We haven't seen such an issue before. We have to investigate what causes the rejection from Apple's side.

@GaoYuJian Just to clear: you are adding Realm to an existing app, right? And the initial version was written with React Native too?

kneth on 16 Aug 2018

@kneth
Our previous appstore version has integrated realm 2.8.1, and the rejected version of realm has been updated to 2.14.2.
Two versions of ReactNative are not updated

nsyujian on 17 Aug 2018

@GaoYuJian Thank you for clarifying. Did you get more details about the reason for rejection? AFAIK, Realm hasn't done any changes which fail into any of the categories as you describe. We did a change on swapping the implementation of memcpy but only on Android!

kneth on 17 Aug 2018

@kneth
2018-08-17 17 08 15
The file system_configuration.cpp in the above image calls dlopen(), dlsym()

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations()

This is the method that is prohibited from being called in the apple reply.

nsyujian on 17 Aug 2018

😕1

Their reply doesn't indicate that dlopen is prohibited, but rather that having code that can pass arbitrary arguments to dlopen is a reason for rejection. As you can see - the arguments that Realm passes to dlopen are known at compile time, so this should fall within the accepted uses.

Additionally, this is code that is also used in the Cocoa SDK, which is used by tens of thousands of developers and we have had no app review issues reported recently.

My guess would be that it's a false positive in their automated analysis tooling, so it should be easy to clear that up by submitting a rejection appeal.