Guideline 2.5.2 - Performance - Software Requirements


Your app, extension, or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with App Store Review Guideline 2.5.2 and section 3.3.2 of the Apple Developer Program License Agreement.

This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes. This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior and/or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

The next submission of this app may require a longer review time, and this app will not be eligible for an expedited review until this issue is resolved.

分隔線----------------------------------------------------------------------------------------------翻譯！

您的應用程序、擴展或鏈接框架似乎包含明確設計的代碼，該代碼具有在App Review批準后更改應用程序的行為或功能的能力，這不符合App Store Review Guideline 2.5.2和Apple Developer Program Lice的第3.3.2節。NSE協議。



與最初為App Store檢查應用程序相比，此代碼與遠程資源結合可以促進應用程序行為的顯著變化。雖然您當前可能沒有使用此功能，但是它有可能加載私有框架、私有方法并啟用將來的特性更改。這包括將任意參數傳遞給動態方法的任何代碼，如dlopen()、dlsym()、respondsToSelector:、performSelector:、method_exchangeImplementations()，以及運行遠程腳本，以便根據下載的腳本的內容更改應用程序行為和/或調用SPI。即使遠程資源不是故意惡意的，它也可能很容易通過中間人（MiTM）攻擊被劫持，這會給應用程序的用戶造成嚴重的安全漏洞。



下一次提交此應用程序可能需要更長的審查時間，并且此應用程序將沒有資格進行快速審查，直到這個問題得到解決。