Apple app store rejected a previously passed Trigger.IO app

Question

Ridiculously simple app - hits a few urls to display data to the user. That's really about all it does. Absolutely the simplest application ever.

Using the following Trigger/Forge framework modules:

icons
launchImage
notification
prefs
pushwoosh
request
topbar

The ONLY coding difference in this latest version is to add some background color on a few certain divs displayed in the UIWebView. Literally, that is all. Last update was pushed and approved and released in early January of this year.

Reload function is NOT enabled in the Trigger config. Verified in the JSON file.

Rejected with the following message:

Any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior or call SPI, based on the contents of the downloaded script is considered not appropriate and needs to be removed from your app’s binary. Even if the code is not intended to be malicious, the security risks it poses to users is significant.

To ensure your users are protected, perform an in-depth review of your app and remove any code, frameworks, or SDKs that facilitate the functionality outlined above.

Best regards,

App Store Review

I can't get them to tell me where they're seeing this code they're rejecting, and they've been zero help. Other users of Trigger.IO apps with a similarly simple app seeing rejections since recent sec updates from apple or anything?

Thanks so much.

Answer 1

Yes, we are seeing exactly the same issue. Minimal changes in our latest release but received the same message from iOS. I replied to their initial message asking for more details but received a canned response that was no different from the original message.

Answer 2

Well, this pretty much closes the loop on things like Trigger and Ionic, et al. Here's what I got from the App Store review committee.

NOW, can someone from Trigger please comment? Does this then put you completely out of the IOS app business?

--

Hello,

Thank you for your response.

In order to bring your app into compliance with the App Store Review Guidelines, it would be appropriate to remove any features or functionality which takes javascript script and turns it into native code. This is especially true if the script-to-native-code feature can occur using remote scripts sent in after an app's review is completed.

We look forward to reviewing this app once the feature change framework is removed.

Best regards,

App Store Review

Answer 3

Briefly, we simply do not know why Trigger.IO apps are currently being rejected from the App Store.

For status updates and discussion please join us on the Trigger.IO community forum, here:

https://community.trigger.io/t/apple-store-review-information-request/232

Answer 4

It has always been the case that previous iOS app approvals do not set any precedent regarding whether similar, or even identical, apps will be approved by Apple in the future.

It is possible that a library included by your app contains code that allows arbitrary modifications to your app's behavior. Even though you may not use this feature in your app, other actors possibly could (or it's too hard to tell if they can or can't), which might present a huge security risk to your app's users. So Apple may have started scanning for any code supporting this feature in new app updates or submissions, and disallowing it.

There may be other hybrid app libraries than do not include code using dynamic Objective C methods. Perhaps Apple will approve apps that use those instead.