Apple Clamps Down On iOS Apps Using Hot Code Push SDKs

Apple has begun to crackdown on apps that use third-party software development kits (SDKs) to modify iOS apps in real-time after they have been approved for the App Store.

The technique known as a ‘hot code push’ enables developers to change the behaviour or functionality of apps after they have gone through the Apple approval process.

This essentially leaves them vulnerable to being hijacked by ‘man-in-the-middle’ hacker attacks and therefor poses a significant security risk.

Pouring water over hot code

Apple has yet to officially announce such a move, but users on its developer forum, notably one ‘assdass’, said they have received a message from the Cupertino company which all but demands they perform an in-depth review of their apps and remove any code, frameworks or SDKs that open up apps to potential hacker attacks.

“Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behaviour or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2.

“This code, combined with a remote resource, can facilitate significant changes to your app’s behaviour compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes,” Apple’s message said.

“Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.”

The developers discussing the message appear to be using third-party SDK from Rollout.io or JSPatch, both of which provide direct access to Apple native application programming interfaces (APIs) designated for private use, and allow for updates to be pushed to apps without the need for App Store approval.

Rollout.io’s co-founder Erez Rusovsky has responded to the message by declaring that the Rollout.io SDK is safe to use in a statement on its website:

“Our platform has been used by hundreds of developers to improve the quality of their apps by fixing thousands of bugs after release. This benefits developers and end-users alike and has prevented – by a conservative estimate – millions of crashes,” he said

“Rollout is safe, secured from any MiTM attacks, and allows developers to immediately patch vulnerabilities as they are discovered, without requiring users to download a new version.”

Rusovsky also said Rollout.io complies with Apple’s guidelines on the use of SDKs that bypass the App Store approval process, noting that the service meets Apple’s conditions of only working on code run by Apples WebKit framework or JavascriptCore, and that Rollout.io is only intended for patches not pushing out new features. Rusovsky noted that to add functionality developers need to release the app through the App Store, and Rollout.io should not be used as a tool to bypass the approvals process for adding new functionality.

“We want to reiterate that we have always been careful to remain within Apple’s guidelines; specifically the clause in its guidelines that allows developers to push Javascript to live apps as long as features and functionality are not changed,” he said.

Given Apple famously keeps iOS and macOS as a very closed ecosystem, it is curious as to why Apple has not crackdown on such SDKs earlier. All signs point to a legitimate concern over security rather than adding more bricks to the iOS walled garden.

Either way, it appears that Apple is calling time on the use of these SDKs, and it look like developers will have to remove the Rollout.io and similar ode from their apps if they wish for future app updates to be approved by Apple.

Quiz: How well do you know Apple?

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Apple Orders Staff Back To Office, Three Days A Week

Memo from Tim Cook tells Apple staff in the Bay area, that from next month,…

50 mins ago

Silicon UK In Focus Podcast: Configuring Security

Do businesses need a radical change in how they approach access security? Does a shift…

2 hours ago

New US Export Controls Target China Semiconductor Firms

US introduces export controls on design software and substrate materials to block Chinese companies from…

1 day ago

US Judge Approves Apple Settlement In Retail Class Action Lawsuit

US federal judge approves settlement offered by Apple in nearly decade-old case over compensation for…

1 day ago

Ola Plans Premium Electric Car For Indian Market

SoftBank-backed ride-hailing firm Ola Electric announces range of electric cars starting in 2024 following success…

1 day ago

Faraday Future Raises Fresh Backing For Electric SUV Debut

Electric car start-up Faraday Future looks to raise up to $600m in new funds as…

1 day ago