[F/GO][閒聊] 關於apple近期條款變動對fgo潛在的影響
起因是這樣,apple 產品開發者常常使用一套Rollout.io的第三方服務進行
hot code push(類似俗稱的hotfix)
但在3/7有許多apple開發人員發現他們的app被無預警下架並收到類似訊息
"Your app, extension, and/or linked framework appears to contain code
designed explicitly with the capability to change your app’s behavior or
functionality after App Review approval, which is not in compliance with
section 3.3.2 of the Apple Developer Program License Agreement and App Store
Review Guideline 2.5.2. This code, combined with a remote resource, can
facilitate significant changes to your app’s behavior compared to when it
was initially reviewed for the App Store. While you may not be using this
functionality currently, it has the potential to load private frameworks,
private methods, and enable future feature changes.
This includes any code which passes arbitrary parameters to dynamic methods
such as dlopen(), dlsym(), respondsToSelector:, performSelector:,
method_exchangeImplementations(), and running remote scripts in order to
change app behavior or call SPI, based on the contents of the downloaded
script. Even if the remote resource is not intentionally malicious, it could
easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a
serious security vulnerability to users of your app.
Please perform an in-depth review of your app and remove any code, frameworks,
or SDKs that fall in line with the functionality described above before
submitting the next update for your app for review."
大意上是說,因為開發者的程式碼內有違反"當前"開發者條款和上架條款而暫時下架,
希望開發者能夠針對這個部分進行修正
稍後,Rollout.io便對此提出的說明:
https://9to5mac.com/2017/03/08/rollout-hot-code-push-policy-shift/
然而,在開發者們等待Rollout.io提出解決方案時,事情又有新的進展:
https://rollout.io/blog/open-letter-to-apple-secure-javascript-injection-ios/
3/13 Rollout向開發者釋出未來可透過蘋果的Live Update Service Certificate服務
進行hot code push的可能性
----------------------以下是個人對這事件的感想-----------------------------
看起來是蘋果想要將hot code push服務的控制權也掌握在自己手中,所以透過修正條款
的方式"促使"對方讓步(此為個人猜測
短期內對消費者主要的影響大致上是bug無法快速的修正,IOS玩家的APP版本會較舊,甚
至可能無法參與某些程式架構變動較大的活動
對開發者來說,短時間內重構程式的可行性不易評估(大多數是可行性低),變成有使用
Rollout.io服務的APP都得等到新服務上線並調整完後,才能讓消費者使用新版本的APP
對FGO來說,影響程度尚未知,畢竟不確定FGO的hotfix是否有使用該項服務,或者是
使用另外的第三方路徑進行lua的更新
不過,也請大家不用過度解讀,畢竟還不知到是否會被波及
就算真的遇上,那又是另一個領石頭的節奏啦~
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 61.219.144.228
※ 文章網址: https://www.ptt.cc/bbs/TypeMoon/M.1489566385.A.07E.html
※ 編輯: Golu (61.219.144.228), 03/15/2017 16:28:07
推
03/15 16:28, , 1F
03/15 16:28, 1F
※ 編輯: Golu (61.219.144.228), 03/15/2017 16:31:13
推
03/15 17:08, , 2F
03/15 17:08, 2F
→
03/15 17:08, , 3F
03/15 17:08, 3F
→
03/15 17:38, , 4F
03/15 17:38, 4F
推
03/15 17:50, , 5F
03/15 17:50, 5F
※ 編輯: Golu (61.219.144.228), 03/15/2017 17:57:32