Apple Store Review information request


#22

The case in the Resolution Center disappeared right now !!

The red flag disappeared too.

My new release is still “Waiting for Review”

I think Apple listened to you.

Any of you have seen the red flag disappear too ?


#23

I just noticed this too! I basically replied to their issue and then said I would resubmit but asked for more info on what is causing the issue and like you, its gone now but only for that one app, I have a few others that are still flagged so I may just ask the same question with that.

Hopefully this trend continues :slight_smile:


#24

Status Update: Monday 13 March 07h25 GMT

  • We’re still waiting to hear from Apple but it’s good news that some of us are starting to see their apps being unflagged.
  • I’ve spent the weekend doing source code reviews of all 3rd party libraries used by the native modules that are common across the src/config.json files everyone has sent in. I’ll be carrying on with this process today and will be posting updated module versions over the next few days.

#25

Did you see anything with the modules? I know I only use one 3rd party one I think, the pushwoosh module, that being said too look3d over the code to see if it was making any calls but didn’t see anything out right.

With it being Monday and apple is officially open, I hope they can start to give us some answers


#26

Status Update: Monday 13 March 17h45 GMT

I don’t have any new information to share yet, so I’m going to summarise where we’re at right now:

Situation

  • Some customers are experiencing rejections when submitting new versions of their apps.
  • Some customers have had existing apps pulled from the App Store.
  • Some customers with multiple apps on the App Store have had some apps rejected and/or pulled while other apps have not been effected.
  • Some customers have not yet been affected at all.

Analysis

  • Based on comparisons between customer app configurations, we have found no correlation between the modules used and whether they are being flagged by Apple or not.
  • Apart from a single dynamic lookup (using a static string) for a method call against WKWebView when the Forge framework is run in debug mode (which we removed in 2.5.2) we cannot find any other instances in our code which even remotely matches the profile in the rejection notice.
  • We’ve now almost completed the process of ploughing through a massive code review of all our native modules and any third party dependencies they rely on and have, so far, uncovered nothing.
  • If the problem is reload, we would have expected to see apps built on the other hybrid platforms such as Cordova/ReactNative/Microsoft etc. to have been affected as well but there is currently no evidence that this is the case.

Response

  • The first sign that there was a problem was on 20 February when this thread was started.
  • We released Forge Platform v2.5.2 on 24 February which removed one potential cause of the problem.
  • The first sign that multiple customers were affected was on 8 March.
  • We opened a Technical Support Incident (TSI) with Apple on the 10 March.
  • On 11 March we received a follow up that closed the TSI and asked us to resubmit it using their “Contact the App Review Team” and “request a technical investigation”.
  • Later on 11 Match we received an automated response asking us to submit a rejection appeal form which we subsequently did. We have had no further communication from Apple since then.
  • In a few hours we’ll have completed a full code review of the Forge Platform, Native Modules and all 3rd party dependencies. A process which has, so far, yielded no answers.

It’s now Monday morning in San Francisco and we’re hoping that Apple will respond to our questions soon.


#27

My app with the config.json i sent you last day has just been accepted and is “Ready for Publish”.
It was unflagged yesterday.

I built with 2.5.2 and uploaded binary on Friday. It was reviewed 1 hour ago.

Reload was deactivated for this release. (it was enabled for the flagged running release). Just for information.

For the others who don’t have seen my config.json, plugins activated are (all in the latest version available)

bolts
damn_you_form_assist
display
facebook
file
icons
launchimages
media
notification
parse
payments (i use payments in my app)
permissions
prefs
request
tabs
topbar
urlhandler


#28

I just got another rejection with reload removed, I’m at a total loss as apple does not seem to provide any details other then the same response… has there been any updates as of late?

This error message does not seem to be impacting any other frameworks, even with similar function as noted so I’m curious why trigger.io would be singled out here with rollout.io and the like.


#29

Can you provide more info on your config, like how you disabled reload? I disabled it in two places under General in app and tools… My config is similar to yours except I use pushwoosh and no payments but it seems similar enough. The reviewer basically just said the same canned response, even though I have asked for any additional information but I fear its just an automated tool they run and have no insight into what is causing this even if its a false positive.


#30

I disabled Reload simply in the App tab, unchecking the “Reload” (Enable reload functionality) in the General section.
Nothing else.

But i don’t think this is the problem…

The key is to understand why, before submiting any new version of the .ipa, the previous release that was flagged, has been unflagged sunday night. This mean that problem is not easy to fix just by moving element in the configuration.

I have a few questions:

  • You said previously that you have multiple apps built with Trigger.io. Some have been flagged, some other not.

The app you talk about just here, is it an app :

  1. That was flagged red, then unflagged alone last night. You submit a new binary and it was flagged again ?
  2. That was flagged, that keep flagged last night (when other was unflagged), and still rejected when you upload new binary ?

I want to determine if an unflagged app, is stable and keep accepted, while other, flagged stay flagged after new binary. It would be better this last case because I don’t like random review


#31

Status update: 15 March 2017 10h00 GMT

It has now been six days since we first reached out to Apple and we have not yet received a response to our questions.

At this time I would like to make an appeal to all our affected customers to please reply to Apple’s rejection notice and, optionally, submit an appeal to the App Review Board.

The process to do this is as follows:

  1. Login to https://itunesconnect.apple.com
  2. Click on “My Apps”
  3. Click on the “View Issues” link of your affected app.
  4. Enter your reply in the “Reply” text box. You can use the following as a template:

We respectfully request that the review team re-evaluate the rejection of our App binary on the basis that it is not guilty of violating compliance with App Store Review Guideline 2.5.2 nor section 3.3.2 of the Apple Developer Licence Agreement.

Our App is a so-called “hybrid” application which is implemented as HTML, CSS & Javascript code run by Apple’s built-in WebKit framework.

Specifically, the platform we have chosen to implement our App is Trigger.IO Forge (https://trigger.io)

To the best of our and Trigger.IO’s knowledge neither our App nor the Trigger.IO Forge platform “Includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior and/or call SPI, based on the contents of the downloaded script.”

If we or Trigger.IO are in error, we ask that you please provide us with further information we can use to determine why our App could be triggering a false positive with the review guidelines and allow us to rectify the situation immediately.

To assist in this process Trigger.IO has agreed to share the source code of their platform with the review team should you request this (or any other) information in the course of your investigation.

If you should require access to the Trigger.IO source code please provide us with a https://bitbucket.org/ account name that we can forward to Trigger.IO.

We are eager to work with the review team to resolve this as swiftly as possible and look forward to your response.

All the best,
[your name]

If you like, you can also click the “Submit an appeal to the App Review Board.” link to file a formal appeal.

I’m uncertain whether this will be more effective than just replying to the rejection notice as it may trigger a separate process within Apple that will take longer to result in a response.

Finally, I’d again like to thank everyone for your ongoing patience, feedback and support as we navigate an event which is entirely unprecedented in the five year history of Trigger.IO.


#32

So I do have multiple apps in the app store, some were flagged and other were not, it seems to be a random selections…

Now for the app that was unflagged, this happened after it went into review then was rejected then the flag got removed, making it think maybe its just a procedural thing that removed the flag once the ipa is about to go into review again? Really I have no idea because this whole thing seems to be a big witch hunt at the moment.


#33

I did reply to it last night, asking for more detail on it and their response was more canned nonsense

Hello,

Thank you for your response.

The code referenced in our initial rejection message is designed explicitly with the capability to change your app’s behavior or functionality after it has been approved to the App Store.

Any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script is considered not appropriate and needs to be removed from your app’s binary. Even if the code is not intended to be malicious, the security risks it poses to users is significant.

To ensure your users are protected, perform an in-depth review of your app and remove any code, frameworks, or SDKs that facilitate the functionality outlined above.

Best regards,

App Store Review

I replied to that one as well, simply asking them again to provide more detail and mentioning that it does not use any of the technologies mentioned, but I fear this will just fall on deaf ears again as Apple does not seem to care one way or the other.


#34

I’m sure Apple have been inundated with review requests after removing apps using rollout.io and JSPatch from the App Store and they’re dealing with the load by simply supplying canned responses to anything that triggers their rejection scripts.

We’re working hard behind the scenes to establish direct contact with someone at Apple with the authority to investigate what’s actually going on.

Until that happens, I think the best strategy moving forward is to keep up the pressure and do everything we can to encourage the Apple review team to take a closer look at our apps rather than simply dismissing us as “another rollout.io/JSPatch app”.


#35

Do you think this is just a matter of trigger.io being ‘flagged’ as such or they are actually doing a validation script. If the code base and modules contain no such code, then could it simply be that the platform is on some type of list in general?

Would it be possible to have a build where reload is no even an option, like its been removed from the bianary etc. I know the topic has been talked about and it does not look like its that but what else could it be, it seems the mere mention of it could be enough, regardless of how its implemented

I mean, if everything is fine then why would it keep getting flagged unless its something more that they are just not telling us, as noted I have responded to their reviews and will see if I can get more then a canned response this next time. In the mean time I’m going to push up some new apps so we will see if they get rejected as well… I hope not because I’m on some deadlines here Thanks Apple!


App Store Rejection: "2. 5 Performance" (Status Updates only)
#36

Let’s try it.

I’ve just pushed a new platform version v2.5.3 to production that removes the iOS implementation of reload in its entirety.

To test it:

  1. Update your src/config.json to "platform_version": "v2.5.3"
  2. Remove all references to reload from the core.general section of your apps src/config.json file.
  3. Make sure you don’t have any calls to forge.reload.* API’s in your App source code as they will fail with a “This method is not available on this platform” error.

Let us know what happens!


#37

Hey Antony,

I will do this today!

Thanks for the hookup, I’ll let you know what happens!

Also, as noted I just submitted another app this am, this is an update to a non flagged app but based off the same configuration as another non flagged… again not that it should matter but I’ll keep you posted.


#38

The thing really strange is that my app was successfully reviewed monday with the module I said previously.

My app is alive since 2 years.

Do you see a “logic” with : new apps never published or with low number of download and old apps with download (that are preserved from the flag ?)

My app have about 20K download since 2 years.

I try to find something logic…


#39

I was told this today by the apple review board:

Hello,

Thank you for your response.

In order to bring your app into compliance with the App Store Review Guidelines, it would be appropriate to remove any features or functionality which takes javascript script and turns it into native code. This is especially true if the script-to-native-code feature can occur using remote scripts sent in after an app’s review is completed.

We look forward to reviewing this app once the feature change framework is removed.

Best regards,

App Store Review


#40

I see no logic to any of it, I have apps that are from 2014, never been updated and they got flagged and ones that went live last month that did not get flagged as well.

As noted it seems totally random but I’ll resubmit with the updated core tonight in hopes it can resolve the issues, also with the status of the developer review with apple and ios I hope somthing will.come of that


#41

That’s total bs from ios, trigger is not rn or native script, trigger is just a pass through to native commands like cordova but does not recompile native.

It may be worth replying and letting them know that the framework does not compile to native code, it simply passes parameters to native code like every other hybrid framework

If they are saying you can’t have hybrid apps then a lot of apps will go away

It’s also worth noting that Uber, ever note etc are hybrid apps so this claim is crap.