Will Apple reject Cordova applications that download additional JavaScript

Question

all.

My team has been toying with the idea of developing an iOS app using Cordova, and recently, we've been looking into offloading as much of the main JavaScript as possible to our server, in an attempt to speed up fixing critical bugs.

The idea would be to have:

1. the native app containing all HTML, CSS, plugins and Cordova files
2. the main JavaScript added to the pages as external scripts from a server
3. a device-ready function for each page that will set up and start the main JavaScript once it's available

I have seen comments that Apple could be trusting of code that runs in a webview, but it does seem like projects like this could be a security issue.

I am aware of other questions and the like that touch on this, but I feel that the context was always different.

Thanks!

Answer 1

A year ago apple changed the iOS Developer Program Agreement to allow download of code, see the Section 3.3.2

3.3.2 An Application may not download or install executable code. Interpreted code may only be used in an Application if all scripts, code and interpreters are packaged in the Application and not downloaded. The only exception to the foregoing is scripts and code downloaded and run by Apple's built-in WebKit framework, provided that such scripts and code do not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store.

So, as you are using cordova, and cordova uses WebKit framework, if you don't change the main purpose of the Application, you won't be rejected

Answer 2

The answer is it depends on how you use the system. The technical ding that hits most people is Apple iTunes Guidelines - 2.12

Apps that are not very useful, unique, are simply web sites bundled as Apps, or do not provide any lasting entertainment value may be rejected

It seems clear to me, but as a volunteer on the "official" phonegap forum, I'm often very blunt with people on this point. Nothing worst than months of work for nothings

On the Javascript idea, loading the javascript file from the web is not good practice. If your app ever loses the network, your app will be non-responsive. One app that I can name, that was growing by leaps and bounds, that has this problem is Word with Friends. I play and I can see the stall every time.

Make sure you App is always responsive and if not, give a short reasonable explanation. LIKE,"Opps, we can't find the Internet."

I have seen comments that Apple could be trusting of code that runs in a webview, but it does seem like projects like this could be a security issue.

Yes, Apple trust code that runs in webview, because it is not a browser. However, that does not make it secure. We have plenty of security issues and bugs. A recent security issues allows rogue code to insert weblinks into webview, and thereby allow the App to be used as an attack vector. Another recent security issue will launch rogue code from and mp3 file! And this bugs goes back to Android 2.0.

The cure is worst than the problem. It's a huge whitelist protocol that is confusing because of the bad documentation. Luckily, I should have a blog post in a few days; other people are working on blog posts too. my raw notes are online or read the current issues especially #10.

I am aware of other questions and the like that touch on this, but I feel that the context was always different.

Feel free to read my notes. The one i give to people all the time is:
Top Mistakes by Developers new to Cordova/Phonegap

But the root has more notes

Best of Luck.