Apple begins strictly enforcing rule that prohibits iOS app updates outside of App Store
Apple is starting to more uniformly enforce a restriction in place since the beginning of the App Store, and is notifying developers pro-actively that it will refuse approval to new apps or updates that include mechanisms to update or alter pre-approved app behavior outside the app store.
Developers, sometimes with apps already approved and for sale, are receiving a notification from Apple informing them of the issue, and advising them to remove offending code prior to the next update. Apple cites two relevant rules in the message, specifically, section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2.
Both rules have been in place since the dawn of the iOS app store. However, popular iOS troubleshooting and update tool, Rollout.io, is impacted by the enforcement and claiming that Apple is interpreting the guidelines in a "more narrow way," which will cause problems with the service.
Rollout allows developers to "push code-level changes" to native iOS apps. This allows for coders to "fix bugs, update configuration data, patch security holes or diagnose issues" without dealing with the sometimes lengthy app store review process.
"We are disappointed that Apple has made this change before we have had an opportunity to address any concerns," Rollout says in a blog post. "We have already reached out to Apple to discuss and are committed to adjusting our offering as needed to remain in compliance under the more narrow interpretation of the guidelines."
App Store review guideline 2.5.2 mandates that "Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps."
Apple Developer Program License Agreement section 3.3.2 is similar, and says that an application "may not download or install executable code" and "interpreted code may only be used in an Application if all scripts, code and interpreters are packaged in the Application and not downloaded."
Apple claims that the forbidden frameworks can "easily be hijacked via a Man In The Middle (MiTM) attack" and "can pose a serious security vulnerability to users."
AppleInsider has reached out to Apple for further elaboration of why more strict enforcement of the near-decade-old rule is being applied now, and will update accordingly. While it may be coincidental, the first reports of the stricter enforcement of the app store rules surfaced on March 7, the same day as the WikiLeaks publication of the CIA's iOS, Android, and Windows hacking division.
Developers, sometimes with apps already approved and for sale, are receiving a notification from Apple informing them of the issue, and advising them to remove offending code prior to the next update. Apple cites two relevant rules in the message, specifically, section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2.
Both rules have been in place since the dawn of the iOS app store. However, popular iOS troubleshooting and update tool, Rollout.io, is impacted by the enforcement and claiming that Apple is interpreting the guidelines in a "more narrow way," which will cause problems with the service.
Rollout allows developers to "push code-level changes" to native iOS apps. This allows for coders to "fix bugs, update configuration data, patch security holes or diagnose issues" without dealing with the sometimes lengthy app store review process.
"We are disappointed that Apple has made this change before we have had an opportunity to address any concerns," Rollout says in a blog post. "We have already reached out to Apple to discuss and are committed to adjusting our offering as needed to remain in compliance under the more narrow interpretation of the guidelines."
App Store review guideline 2.5.2 mandates that "Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other iOS, watchOS, macOS, or tvOS apps."
Apple Developer Program License Agreement section 3.3.2 is similar, and says that an application "may not download or install executable code" and "interpreted code may only be used in an Application if all scripts, code and interpreters are packaged in the Application and not downloaded."
Apple claims that the forbidden frameworks can "easily be hijacked via a Man In The Middle (MiTM) attack" and "can pose a serious security vulnerability to users."
AppleInsider has reached out to Apple for further elaboration of why more strict enforcement of the near-decade-old rule is being applied now, and will update accordingly. While it may be coincidental, the first reports of the stricter enforcement of the app store rules surfaced on March 7, the same day as the WikiLeaks publication of the CIA's iOS, Android, and Windows hacking division.
Comments
Exactly what I thought, this is all about the CIA leaks and what they could do, Imagine the Mobile Passport which is put out for the government had the ability to update code outside the apple system of checks and balance the our government installs code which allows them to watch what you are doing. This could be down with any app, the NSA could set up a fake company making some sort of great app that everyone would down load and want to use.
I personally have not see any, I have a few which come up and say I am out of date but push me to the apple store for the update. It is interesting a banking App would do this.
Tinder, Glassdoor, Target, Kobo... probably many others.
It's used extensively for A/B testing. It's designed to be completely transparent to the end user.
I'm really surprised that Apple has allowed these frameworks to slip under the radar for so long.
Usually those new features and such are already in the executable from a previous app update, and they just enable or disable the functionality based on a response from a server somewhere. This is still allowed under the guidelines and wouldn't change. Facebook does this a ton, and so does Google.
My guess is they used to let this slide because of the very long review times, which is really the reason these tactics became popular in the first place. Now that app reviews are only a day or two on average there is less reason to need services like this, and my guess is Apple will point to shortened review times as a major reason they're cracking down on it: "it's just not necessary anymore."
Anyway I think Apple should introduce A/B testing.
i know its obvious. But I've had several apps, including a couple from Adobe tell me to update the apps. That seems strange, doesn't it? After all, you shouldn't need to update the apps. But often I go to updates (I have hundreds of apps on my ipad!), and there's a dozen apps waiting to be updated, including the Adobe one. It seems that when I open the app, it knows there's a new update, but for some reason, the iPad hasn't yet updated.