Apple Clamps Down On iOS Apps Using Hot Code Push SDKs

Apple has begun to crackdown on apps that use third-party software development kits (SDKs) to modify iOS apps in real-time after they have been approved for the App Store.

The technique known as a ‘hot code push’ enables developers to change the behaviour or functionality of apps after they have gone through the Apple approval process.

This essentially leaves them vulnerable to being hijacked by ‘man-in-the-middle’ hacker attacks and therefor poses a significant security risk.

Pouring water over hot code

Apple has yet to officially announce such a move, but users on its developer forum, notably one ‘assdass’, said they have received a message from the Cupertino company which all but demands they perform an in-depth review of their apps and remove any code, frameworks or SDKs that open up apps to potential hacker attacks.

“Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behaviour or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2.

“This code, combined with a remote resource, can facilitate significant changes to your app’s behaviour compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes,” Apple’s message said.

“Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.”

The developers discussing the message appear to be using third-party SDK from Rollout.io or JSPatch, both of which provide direct access to Apple native application programming interfaces (APIs) designated for private use, and allow for updates to be pushed to apps without the need for App Store approval.

Rollout.io’s co-founder Erez Rusovsky has responded to the message by declaring that the Rollout.io SDK is safe to use in a statement on its website:

“Our platform has been used by hundreds of developers to improve the quality of their apps by fixing thousands of bugs after release. This benefits developers and end-users alike and has prevented – by a conservative estimate – millions of crashes,” he said

“Rollout is safe, secured from any MiTM attacks, and allows developers to immediately patch vulnerabilities as they are discovered, without requiring users to download a new version.”

Rusovsky also said Rollout.io complies with Apple’s guidelines on the use of SDKs that bypass the App Store approval process, noting that the service meets Apple’s conditions of only working on code run by Apples WebKit framework or JavascriptCore, and that Rollout.io is only intended for patches not pushing out new features. Rusovsky noted that to add functionality developers need to release the app through the App Store, and Rollout.io should not be used as a tool to bypass the approvals process for adding new functionality.

“We want to reiterate that we have always been careful to remain within Apple’s guidelines; specifically the clause in its guidelines that allows developers to push Javascript to live apps as long as features and functionality are not changed,” he said.

Given Apple famously keeps iOS and macOS as a very closed ecosystem, it is curious as to why Apple has not crackdown on such SDKs earlier. All signs point to a legitimate concern over security rather than adding more bricks to the iOS walled garden.

Either way, it appears that Apple is calling time on the use of these SDKs, and it look like developers will have to remove the Rollout.io and similar ode from their apps if they wish for future app updates to be approved by Apple.

Quiz: How well do you know Apple?