jitsi-meet icon indicating copy to clipboard operation
jitsi-meet copied to clipboard

Published 20 hours ago verified publisher icon jitsi

Alipay reference in ios SDK causes app store approval issue

Open viking2917 opened this issue 2 years ago • 6 comments

Alipay reference in iOS SDK causing app store approval issues

I have an iOS app that uses the JITSI iOS SDK for in-app meetings.

If one reviews the main.jsbundle in the iOS SDK framework (https://github.com/jitsi/jitsi-meet-ios-sdk-releases/blob/master/Frameworks/JitsiMeetSDK.xcframework/ios-arm64/JitsiMeetSDK.framework/main.jsbundle), you can see an export string with "alipay" in it.

Previously, when I submitted my app to Apple, it was rejected because (according to them) it included references to external (non-Apple) payment systems. (I use Apple in-app purchases for my subscriptions, my app is on the up-and-up). This file is the only reference I could find in my app to Alipay. I hand edited the main.jsbundle to remove that single string, and re-submitted my app, and it was approved.

Nearest I can tell they just scan the binary for occurrences of questionable strings.

This was a long time ago; I'm upgrading my app to the latest version of JITSI (6.1.0), and that reference is still there. So far as I know JITSI has no need for Alipay, and I'd like to avoid re-hand-editing that file, and use the approved releases.

Can it be removed? Is there a reason it is there?

Steps to reproduce:

  1. See the file mentioned above.

Expected behavior:

There should be no reference to Alipay in the iOS code that gets embedded into an iOS app.

Actual behavior:

Server information:

  • Jitsi Meet version: n/a
  • Operating System: n/a

Client information:

  • Browser / app version: iOS SDK 6.1.0
  • Operating System: iOS

Additional information:

viking2917 avatar Sep 13 '22 21:09 viking2917

Not sure where that comes from but I can assure you we it have any payment system integrations so it must be a false positive.

We have just released Jitsi Meet 22.5.1 with that SDK and didn't get any issues.

saghul avatar Sep 14 '22 07:09 saghul

Thanks @saghul. It's in a giant list of random export strings and I can't see where it comes from either.

Maybe I'll just try submitting it again with the new version and see if I get a complaint this time. Will update here depending on outcome.

viking2917 avatar Sep 14 '22 17:09 viking2917

(randomly browsing open issues, and was curious about this one)

It looks like the string appears as part of a list of DNS top-level-domains (TLDs), and that it was added after a re-bundle of frontend resources that included jitsi/jitsi-meet#4509.

In particular it's react-linkify that adds the dependency on the tlds library (including the lengthy list of strings, of which many are brand names).

That fits timeline-wise too:

  • 2019-06-28 - SDK 2.2.0 tagged (tld-strings: no)
  • 2019-08-06 - react-linkify dependency added to frontend
  • 2019-09-17 - SDK 2.3.0 tagged (tld-strings: yes)

I could be mistaken but I think that's a possible explanation.

jayaddison avatar Sep 17 '22 20:09 jayaddison

Good digging!

If that is the case it has been part of the SDK for years now.

saghul avatar Sep 18 '22 05:09 saghul

@jayaddison @saghul Thanks for the digging. I hope to submit a new version of my app this week; will report back whether I get flagged again!

viking2917 avatar Sep 18 '22 05:09 viking2917

If you do, please paste the full rejection message here.

saghul avatar Sep 18 '22 06:09 saghul

so, I got through the app review without an issue this time. At least, related to this issue :). I am closing this, thanks for the investigation!

viking2917 avatar Sep 27 '22 00:09 viking2917