zlacker

[parent] [thread] 6 comments
1. dperfe+(OP)[view] [source] 2016-01-10 19:14:06
Amazon has just as much reason as Apple (or any platform provider) to want to restrict the types of apps that get published.

As for the effectiveness of that control, there's little practical difference between "simply registering an URL" and uploading a binary; both can load external content or be modified (in terms of what the user actually sees/experiences) almost entirely after the initial review. There will always be apps that try to abuse that possibility, and they usually get reported or re-evaluated, but it's probably a very small number of apps that will do that.

The point is to simply filter out a larger number of spammy, malicious, or otherwise offensive apps at the onset rather than spending more resources constantly monitoring everything after the fact. That said, it's unfortunate when the review process is as flawed as it seems to be in this case (poor communication, inconsistent policies, etc).

replies(2): >>rdw+a1 >>inflag+o1
2. rdw+a1[view] [source] 2016-01-10 19:27:26
>>dperfe+(OP)
Apple has tools to see whether your app is loading external content and modifying itself, though. I think you can deceive them by making it seem as though it does so in an allowed manner (e.g. no code execution) during review, but they'll definitely know that your app has the theoretical capability.
3. inflag+o1[view] [source] 2016-01-10 19:30:35
>>dperfe+(OP)
There's a huge difference. An URL is an absolute black box, a binary that you have to give Apple for certification on each change and that has to call Apple APIs to do anything useful (like network) is not.

Apple will scan your App to check for basic violations, that's all automated. For instance is there a specific flag that you can initialize a socket with to listen in background. This is only allowed if your app is supposed to stream music in background or do some VoIP thing. So if you're app is not that and the software detects you have that flag set anywhere in the code no way you will get it through the certification. There's simply no possibility for such analysis with a URL.

replies(4): >>dperfe+p2 >>XMPPwo+G6 >>anatar+0b >>Strato+Mb
◧◩
4. dperfe+p2[view] [source] [discussion] 2016-01-10 19:44:05
>>inflag+o1
It sounds like you're assuming the majority of (iOS) App Store rejections deal with using unofficial/restricted APIs. My guess is that's relatively rare.

Most of the apps caught in the review process are probably those that fail other guidelines (usefulness, privacy concerns, illegal/inappropriate content, poor UX/quality, excessive crashing, etc). Most of those things can't be caught by automated means, and the content-related things can certainly be changed after initial review.

I've personally worked on several apps that significantly modify app behavior after being published - not so much to bypass any review requirements, but rather to adapt to changing business needs without waiting to publish a new release.

◧◩
5. XMPPwo+G6[view] [source] [discussion] 2016-01-10 20:35:27
>>inflag+o1
Another interesting thing about iOS- they enforce code signing on the page level. You cannot create a RW page, write new code (from the network) into it, and then remap it as RX; every instruction needs to be approved by Apple. So changing behavior at runtime in a way that's subtle enough to pass certification is a lot harder than it would be on some hypothetical walled-garden Android (where you can, AFAIK, pull down a JNI extension over HTTP and load it.)
◧◩
6. anatar+0b[view] [source] [discussion] 2016-01-10 21:43:50
>>inflag+o1
This is kind of missing the whole point. Which is, as a developer, you can slip anything into the Apple appstore that you could have slipped into Alexa's, so the point the article is making about certification is silly. Of course there are more security implications in Apple's case, but the fact remains that numerous apps have done the bait and switch and were pulled after Apple discovered it much later.
◧◩
7. Strato+Mb[view] [source] [discussion] 2016-01-10 21:56:00
>>inflag+o1
There's a big exception to the automated checking. You can download new JavaScript code any time after your app is approved, as long as your app runs the code under the built-in WebKit. I don't think there is any automated checking of what your new code does - how could there be? It's just a violation of the terms of service if you change the app into something completely different:

> 3.3.2 An Application may not download or install executable code. Interpreted code may only be used in an Application if all scripts, code and interpreters are packaged in the Application and not downloaded. The only exception to the foregoing is scripts and code downloaded and run by Apple's built-in WebKit framework or JavascriptCore, provided that such scripts and code do not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.

https://developer.apple.com/programs/ios/information/

http://info.meteor.com/blog/apple-hot-code-push-mobile

[go to top]