App Store Rejection - Remote Code Updates (Guideline 2.5.2)

Has anybody suddenly started suffering from App Store rejections, citing the inclusion of remote resources?

Background Context:

  • App built against Expo SDK 32.
  • Project ejected, so builds are unmanaged.
  • App has been live for several months, and has survived 10+ reviews.

Our most recent release has failed multiple iterations of review, with the following review feedback being provided:

This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes. This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior and/or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Whilst Expo has not been specifically mentioned by Apple, there is nothing else in the app that could really provoke that sort of response.

Is anyone else experiencing increased difficulty in getting their app into the App Store? Has anyone else been given feedback similar to the above?

Any help greatly appreciated, as we’re running out of angles to approach this one from…

Hi! This has been asked about before (and here, too)

Basically- Expo’s OTA Updates feature falls within Apple’s guidelines, and it’s rare that this issue crops up. In the past, it’s been due to something specific to the app, and not with Expo

I suggest asking for clarification on how exactly you are infringing on guideline 2.5.2

  • App has been live for several months, and has survived 10+ reviews.

This is definitely weird, so once Apple responds to you please keep us updated here!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.