App Rejected from App Store [Resolved: because of Amap and JSPatch, not React Native]

Our App got rejected by App Store on March 17 with the following message from Apple

Mar 17, 2017 at 8:00 PM
From Apple

2. 5 Performance: Software Requirements (iOS)

Thank you for submitting your app.

Upon further review, we found your app out of compliance with the following guideline(s):

Performance - 2.5.2

Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with App Store Review Guideline 2.5.2 and section 3.3.2 of the Apple Developer Program License Agreement.

This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes. This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior and/or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.

Next Steps

Perform an in-depth review of your app and remove any code, frameworks, or SDKs that fall in line with the functionality described above and resubmit your app’s binary for review.

Best regards,
App Store Review

List of iOS packages used by us

• Reachability
• GoogleSignin
• Alamofire
• Crashlytics
• Fabric
• NVActivityIndicator
• React Native SQLite Storage
• RNTableView
• CodePush
• RNDeviceInfo
• react-native-mixpanel
• OneSignal
• react-native-camera
• react-native-keep-awake

We were suspecting the CodePush. So, We re-submitted the App without CodePush. Still, Apple rejected by saying the same message.

They have mentioned that We shouldn’t use dlopen(), dlsym() etc., So, We did the search of whole Repo for those functions. We found those functions in React Native itself. We found dlsym in RCTUtils.m ( https://github.com/facebook/react-native/blob/master/React/Base/RCTUtils.m#L535 ) etc.,

Thanks,