What kind of downloaded code violates App Store Review Guideline?

Question

App Store Review Guidelines says: "Apps that download code in any way or form will be rejected."

I'd like to make an app using Challenge-Response for authentication. The app has a set of basic algorithms such as SHA-1, SHA-256, MD5, DES, AES and so on. The challenge server makes contains an array of the algorithms' name with random arrangement and a string names A. Client uses the algorithms and the sequence that challenge indicates to manipulate string A, and returns it to the server as the response.

Although all I transfer between server and client is a bunch of strings, but they indeed change the behavior of my app. Should I consider them a form of code? If not, why downloading shell code to execute is forbidden by Apple? I mean, shell code is also a bunch of strings and interpreted by running environment. Where is the essential difference?

Forgive my English :)

Answer 1

What Apple is worried about and wanting to prevent is applications that get through the approval process (disguised as something benign) and later change their fundamental function.

An extreme example would be an application downloading new, malicious executable code after it has been installed on the user's device.

Apple is using broad wording in order to be able to reject any app that in any way tries to be harmful to the user. It would be impossible to specifically describe every technique and specific way this could happen, so Apple keeps the wording loose.

Apps "download code" in some form or another all the time, consider an application that accesses an API that returns JSON formatted responses. Technically that could be considered code, and it can change the apps behavior (which view to show, what options would be available on a certain view, etc). But an app that access an API in this manner would certainly not be rejected.

From what I can gather from your question, it sounds like you don't have to worry about that particular clause in the guidelines.