How developers trick App Store into approving malicious apps
Developers are deceiving the App Store to approve malicious apps like "Collect Cards" by using geofencing and Microsoft's CodePush SDK, allowing post-approval changes to app functionalities. Apple has removed these apps.
Read original article
Developers have been successfully tricking the App Store into approving malicious apps by employing various deceptive techniques. A recent investigation revealed that apps like "Collect Cards" managed to gain popularity and approval by using geofencing to hide their true functionalities from Apple's review team. These apps are built on a shared code base using React Native and utilize Microsoft's CodePush SDK, which allows developers to update app content without resubmitting to the App Store. This method is not inherently against App Store rules, but malicious developers exploit it to bypass scrutiny.
The apps check the device's location via an API based on the IP address, delaying the call to this API to avoid detection during the automated review process. Once approved, developers can use CodePush to alter the app's interface and functionalities in specific locations, effectively revealing their true nature only after gaining access to the App Store.
Apple has acknowledged the issue and removed the offending apps but has not detailed measures to prevent similar occurrences in the future. The App Store Review team, which consists of over 500 experts, primarily relies on automated processes to screen apps, which may not be sufficient to catch these deceptive practices. Experts suggest that Apple could enhance its review process by implementing additional tests to monitor app behavior in various locations and proactively identifying and removing scam applications.
Related
Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
Apple CocoaPods Bugs Expose Apps to Code Injection
Millions of Apple apps face code injection risks from critical vulnerabilities in CocoaPods. E.V.A Information Security discovered three major flaws, including remote code execution. Developers are urged to address vulnerabilities promptly.
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
Python grapples with Apple App Store rejections
Python developers face App Store rejections post Python 3.12 update due to Apple's ban on "itms-services" string. Eric Froemling's bug report triggers discussions on solutions like obfuscation and JSON config. Python community seeks resolution amid Apple's strict policies.
Deluge of Fake Mac App Store Reviews
A surge of fake customer reviews in the US Mac App Store targeted top paid apps priced between $1.99 and $4.99. Reviews, mostly 5 stars, featured generic text, raising suspicions. The total cost of fake reviews exceeded $1150. Apple's default review sort order potentially hides these fake reviews. Motive remains unclear, with speculation of developer involvement. Apple's lack of curation raises authenticity concerns.
- Many commenters express skepticism about the effectiveness of Apple's app review process, suggesting it is often circumvented by developers.
- Several users discuss various methods developers use to hide app functionalities from Apple, indicating a widespread understanding of these tactics.
- There is a consensus that the presence of scam apps, particularly those with recurring subscription models, is a significant issue.
- Some commenters argue that Apple's focus on security is more about appearance than actual effectiveness, labeling it as "security theater."
- Concerns are raised about the monopolistic control of Apple and Google over the app market, with calls for regulatory changes.
25 comments1. Make an API call to your server with the build number of the app.
2. Have that API response control whether the "secret" features are available.
3. Only enable each build's secret features once it's passed review.
4. Profit?
No dynamic/interpreted code required.
And there are sufficient variations on this that I would guess it's reducible to the halting problem and thus undecidable.
“Executable Code Except as set forth in the next paragraph, an Application may not download or install executable code. Interpreted code may be downloaded to an Application but only so long as such code: (a) does not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store, (b) does not create a store or storefront for other code or applications, and (c) does not bypass signing, sandbox, or other security features of the OS.”
There are use cases for non-recurring week passes (eg. VPN app for a week during travel) but recurring weekly payments should require manual approval. Not all apps should be allowed to charge weekly recurring payments.
Ignoring the weasel wording in the sentence, and assuming the reviewers dedicate 100% of their time to reviewing and a standard work week, that's ≈12 minutes per app.
Similarly, two companies, Apple and Google, shouldn't be able to keep 15% to 30% of all revenue generated in the entire mobile app market.
I thought it was about how they get Apple to allow those $50/month subscriptions for the flashlight apps...
Hiding a functionality from Apple is a ticket to account and company ban and is not worth the hassle. Unless it was the intention of the whole enterprise.
I would not mind Apple doing whatever the reviews they want with their own private AppStore if I, the user, could install whatever app I need on the device that I bought by downloading it directly from developer's website.
Apple maliciously tries to stand between developers and users, with the intent of extortion. Big Brother 2024.
I don’t see a reason to name Microsoft’s solution specifically.
Firstly, there are other alternatives; also, Microsoft is shutting down parts of their offering; finally, JS apps are comparatively easy to update - even without a tool like this too.
https://youtu.be/Cw7wke_FtuI?si=3b6f3Ohd4wb_0xVS
Despite (and due to) its very much non-family-friendly title it managed to gain considerable attention before being taken down.
I've reported malicious apps.
Provided detailed evidence, etc.
Their security team told me to fuck off.
So I went back to my daily life...
At least I can say I tried. Security doesn't matter; it's the appearance of security that does.
Apple is like the walled fortress with armed guards in freshly pressed uniforms that wave most people through the gate and never check their trunks.
That site has the most evil consent UI I’ve seen. Not only does it require you to click zillions of checkboxes to withdraw consent, while allowing you to give it with a single click, it also hides most of them behind a “more” button. It’s amazing how many companies claim to have legitimate interest in tracking things…
Also, so funny how 9to5mac messages this. When Apple makes a misstep, it is developers "tricking" App Store, not Apple's incompetence. Lets call it what it is, Apple's review process is mostly security theater.
Related
Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
Apple CocoaPods Bugs Expose Apps to Code Injection
Millions of Apple apps face code injection risks from critical vulnerabilities in CocoaPods. E.V.A Information Security discovered three major flaws, including remote code execution. Developers are urged to address vulnerabilities promptly.
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
Python grapples with Apple App Store rejections
Python developers face App Store rejections post Python 3.12 update due to Apple's ban on "itms-services" string. Eric Froemling's bug report triggers discussions on solutions like obfuscation and JSON config. Python community seeks resolution amid Apple's strict policies.
Deluge of Fake Mac App Store Reviews
A surge of fake customer reviews in the US Mac App Store targeted top paid apps priced between $1.99 and $4.99. Reviews, mostly 5 stars, featured generic text, raising suspicions. The total cost of fake reviews exceeded $1150. Apple's default review sort order potentially hides these fake reviews. Motive remains unclear, with speculation of developer involvement. Apple's lack of curation raises authenticity concerns.