Rollout proposes a secure JavaScript injection approval process for Apple's app stores

iOS troubleshooting and update tool, Rollout.io, has published an open letter to Apple, proposing a secure JavaScript injection approval process, as a way to address Apple’s concerns from late last week regarding apps that use code-swapping frameworks like Rollout.

Here’s part of the proposal: “Just as full releases require a distribution certificate, developers will obtain a “Live Update Service Certificate” from Apple.

Just as Apple signs .ipa files, which are pushed to the App Store and then downloaded to end user devices, we propose Apple begin to sign Javascript code, which is returned to the developer, who can then push it directly to live devices. The Apple SDK would verify the signature authenticity and only execute verified code.

Earlier this month Apple began to “more uniformly” enforce a restriction in place since the debut of the Apple App Store in 2008, and started notifying developers that it will refuse approval to new apps or updates that include mechanisms to update or alter pre-approved app behavior outside the App Store. Developers, sometimes with apps already approved and for sale, received a notification from Apple informing them of the issue, and advising them to remove offending code prior to the next update. Apple cites two relevant rules in the message, specifically, section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2.

Both rules have been in place since store debuted. However, rollout.io was impacted by the enforcement. Rollout allows developers to "push code-level changes" to native iOS apps, allowing for coders to "fix bugs, update configuration data, patch security holes or diagnose issues" without dealing with the sometimes lengthy app store review process.

Hello, World!