1) The document discusses using JavaScript hotfixing to update iOS apps without going through the Apple app review process. 2) It describes using method swizzling and JavaScriptCore to intercept and modify Objective-C method calls from JavaScript scripts downloaded to the app. 3) Some benefits mentioned are being able to quickly fix bugs, gather data from affected users, and potentially even rewrite parts of the app in JavaScript over time. However, it also notes limitations in what can be fixed and security best practices.

1. Hotfixing iOS apps
with Javascript
Sergio Padrino Recio

2. About me…
• Sergio Padrino (@sergiou87)
• Started working on iOS on 2010
• Worked atTuenti as iOS engineer (2012-2013)
• Worked at Fever as iOS Lead engineer (2014)
• Working at Plex since July 2014 – Current iOSTeam Lead

3. About Plex

4. About Plex

5. Example case

6. Example case
• Submit to Apple.
• Wait for review: 7 days.
• In review: 3 hours.
• Release!

7. Example case
WTF??

9. 8 days later…

12. We are all Peter

13. Example case
• Extreme case, workflow full of flaws:
• Coder failed.
• Code reviewer failed.
• Testers failed.
• Apple… didn’t say anything.

14. Plex:The Monster
• Too many moving parts:
• Plex Media Server version
• User network setup
• Interoperability with other Plex players
• Audio/Video/Subtitle format

16. Fixes are usually quick, but…

17. Apple App Review process
• Used to be 1 week.
• Now reduced to 1-3 days.
• Still not reliable…
• Reviewer testing the wrong binary.
• App rejected because… Apple 😒
• Christmas holidays.
• Sometimes just gets longer.

18. appreviewtimes.com

19. Can we improve this?

20. Can we improve this?
• Android and Web apps can be updated at any time.
• Native iOS apps need to bypass Apple review:
• Use a remote configuration (GroundControl).
• Embedded web pages can be updated.
• Or…

21. rollout.io
• Service to hotfix apps without Apple review:
• Surround method with try…catch
• Replace method argument or return value
• No-op a method
• Basic scripting

23. rollout.io
• Main problems (for us):
• Their platform has the ability to change our app
remotely. If they’re compromised… 😱
• “Expensive” post-build script to upload dSym.
• Our dSym is massive and they had trouble
processing it 😆

24. DIY
• Can we do it ourselves… better?
• Recent pain working on AppleTV app:
• Too much Javascript 😖
• Objective-C magic
• My own solution… SPHotPatch

25. plex.tv
DIY
Configuration
file
(hotfixes)
Plex for iOS
MAGIC
✨

26. But… how??

27. But… how??
Method Swizzling!

28. Method Swizzling
An Example
- (void)doSomethingWrong {
self.array[self.array.count];
}

29. Method Swizzling
An Example
- (void)doSomethingWrong {
self.array[self.array.count];
}
- (void)safe_doSomethingWrong {
@try {
[self safe_doSomethingWrong];
} @catch(…) { }
}

30. Method Swizzling
An Example
- (void)doSomethingWrong {
self.array[self.array.count];
}
- (void)safe_doSomethingWrong {
@try {
[self safe_doSomethingWrong];
} @catch(…) { }
}
INFINITE
RECURSION?!

31. Method Swizzling
An Example
- (void)doSomethingWrong {
self.array[self.array.count];
}
- (void)safe_doSomethingWrong {
@try {
[self safe_doSomethingWrong];
} @catch(…) { }
}
INFINITE
RECURSION?!

32. doSomethingWrong
Method Swizzling
An Example
array[array.count]
safe_doSomethingWrong
@try {
[self
safe_doSomethingWrong];
} @catch(…) {}

33. doSomethingWrong
Method Swizzling
An Example
array[array.count]
safe_doSomethingWrong
@try {
[self
safe_doSomethingWrong];
} @catch(…) {}

34. safe_doSomethingWrongdoSomethingWrong
@try {
[self
safe_doSomethingWrong];
} @catch(…) {}
Method Swizzling
An Example
array[array.count]

35. doSomethingWrong
@try {
[self
safe_doSomethingWrong];
} @catch(…) {}
Method Swizzling
An Example
array[array.count]
safe_doSomethingWrong

37. Where is my Javascript??
• JavascriptCore since iOS 7.
• Run JS scripts from Objective-C.
• Bridging: call Objective-C code from JS.
• More Objective-C runtime magic.

38. Javascript Core
• Run Javascript scripts from Objective-C:

39. Bridging
• Invoke Objective-C code from Javascript:

40. MyCrashyClass
doSomethingWrong
Combine all that…
array[array.count]

41. MyCrashyClass
safe_doSomethingWrongdoSomethingWrong
JSContext *context = …
[context evaluate:hotfixString]
Combine all that…
array[array.count]

42. doSomethingWrong
MyCrashyClass
JSContext *context = …
[context evaluate:hotfixString]
…fixed!
array[array.count]
safe_doSomethingWrong

43. More Objective-C runtime?
• “Proxy” object that gives access to Obj-C stuff
from JS.

44. More Objective-C runtime?
• Box method parameters to JSValue.
• Unbox return value from JSValue ⚠
• A lot of boilerplate to support as many types as
possible.
• Took some “inspiration” from OCMockito.

45. Unboxing return value…
IMP newImp = imp_implementationWithBlock(^(id self, ...)
{
va_list args;
// Box parameters from args and prepare script
NSString *script = ...;
JSValue *result = [context evaluateScript:script];
if ([result isString])
return [result toString];
else if ([result isNumber])
return [result toInt32];
}

46. Unboxing return value…
• Method parameters are easy: variadic arguments.
• There is no “wild card” for return types.
• The only option… override forwardInvocation:
• NSInvocation is the key!

47. Unboxing return value…
IMP newImp = imp_implementationWithBlock(^(id self,
NSInvocation *inv)
{
// Box parameters from invocation and prepare script
NSString *script = ...;
JSValue *result = [context evaluateScript:script];
if (inv.methodSignature.methodReturnType == ‘@’)
[inv setReturnValue:[result toObject]];
else if (inv.methodSignature.methodReturnType == ‘i’)
[inv setReturnValue:[result toInt32]];
}

48. MyCrashyClass
doSomethingWrong
Real Life™
array[array.count]
forwardInvocation:
original implementation

49. MyCrashyClass
ORIGdoSomethingWrongdoSomethingWrong
_objc_msgForward
Real Life™
forwardInvocation:
original implementation
array[array.count]

50. MyCrashyClass
ORIGdoSomethingWrongdoSomethingWrong
_objc_msgForward
Real Life™
forwardInvocation:
original implementation
array[array.count]

51. MyCrashyClass
ORIGdoSomethingWrongdoSomethingWrong
_objc_msgForward
Real Life™
forwardInvocation:
original implementation
array[array.count]
ORIGforwardInvocation:
JSContext *context = …
[context evaluate:hotfixString]

52. MyCrashyClass
ORIGdoSomethingWrongdoSomethingWrong
_objc_msgForward
Real Life™
array[array.count]
ORIGforwardInvocation:forwardInvocation:
JSContext *context = …
[context evaluate:hotfixString]
original implementation

55. DEMO

56. SPHotPatch
• Share it with friends to show off…
• …until someone tells me about JSPatch
• Open Source
• Better JS syntax (pre-processing)
• Extensions to use C stuff (CoreGraphics…)

57. JSPatch

58. JSPatch in Plex
• Remote configuration file declares available patches.
• Patches belong to a:
• App version.
• App build.
• Patch channel (default: production).

59. JSPatch in Plex
• Multiple “channels” allow:
• Testing hotfixes before “releasing” them.
• Create custom patches for users if needed.

60. JSPatch in Plex

61. JSPatch in Plex
• More features:
• Safe patching: if the app crashes before the
patch can be downloaded and applied, next time
the whole patching process will be synchronous.
• Skip patching in the next run.
• Clear last patch.

62. Things you can do

63. Hotfixing
of course

64. Gather data
• For bugs hard/impossible to reproduce.
• Create specific patch channel for affected users.
• Deploy patches for those users.
• Ask them for feedback in the forums.

65. Gather data
• Example 1:
• Video stalls and stuttering.
• Patches to log more info.
• Patches to change different settings of the video
player.

66. Gather data
• Example 2:
• Weird AutoLayout crash on old devices.
• Crash stacktrace impossible to read: all Apple
code.
• Patches to change different bits of broken layout.

67. Rewrite the whole app in JS

68. Rewrite the whole app in JS

69. Things you CAN’T fix

70. Things you CAN’T fix
seriously…
• Virtually nothing?
• You REALLY can write your whole app with JSPatch!
• Create extensions for C stuff you need.
• Apply patches as soon as you can.
• At Plex, we leave out +load methods.

71. What about Swift?
• Depends on Objective-C runtime so…
• Only works with NSObject.
• No structs or primitive types.
• No classes not inheriting from NSObject.

72. What about Apple?
3.3.2 Except as set forth in the next paragraph, an Application may not
download or install executable code. Interpreted code may only be
used in an Application if all scripts, code and interpreters are packaged
in the Application and not downloaded. The only exceptions to the
foregoing are scripts and code downloaded and run by Apple's
built-in WebKit framework or JavascriptCore, provided that
such scripts and code do not change the primary purpose of
the Application by providing features or functionality that are
inconsistent with the intended and advertised purpose of the
Application as submitted to the App Store

73. What about Apple?
• Just Javascript code that runs in JavascriptCore.
• Small fixes, not changing the whole app.

74. Security
• Avoid downloading patches from unknown
sources.
• Don’t run JS scripts without a valid signature.
• Only allow to sign patches to a handful of people.

75. Good practices
• Don’t abuse JS patching. It’s just your safe net.
• Establish a proper workflow to catch bugs before
the release.
• Test, test, test.Automate as much as you can.

76. Good practices
• QA should find nothing. If they do, it should be a big
thing.
• If all the above fails and the bug has a huge impact,
hotfix it.
• JS hotfixes should be reviewed and tested too.
• Immediately after, submit another build. Never rely on
those hotfixes.

77. Questions?

78. Thank you!