App rejected by Apple because "app loads remote manifest settings"

Please provide the following:

  1. SDK Version: 41
  2. Platforms(Android/iOS/web/all): iOS
  3. Add the appropriate “Tag” based on what Expo library you have a question on.

Managed workflow, trying to publish an app to the App Store for the first time, keep getting rejected. After some unclear back and forth with Apple, this is what they’ve responded with:

"Regarding previously communicated issue, specifically, we found that on launch this app loads remote manifest settings via its call to exp.host/@myhost/my-app, which itself returns settings for remote asset importing. This, combined with the hybrid nature of the app creates 2.5.2 concerns. This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app. It would be appropriate to remove any and all remote manifest, and thus remote asset importing which may include remote javascript imports, from the app before resubmitting for review. "

How would I go about solving this? I’m not even sure I understand their concerns, and I don’t even think my app even does that (I’ve published much more complex apps with practically the same code and setup without any problems). Thanks.

Hi. I suggest you email secure@expo.io with the details.

1 Like

ok, will do

If possible, can you please share developments while talking with secure@expo.io and also the ios appt team, this can impact everyone greatly.

2 Likes