How unscrupulous developers are sidestepping Apple's extensive App Store security review

[Skye Jacobs]

In a nutshell: Apple continually touts its extensive approach to security for its apps and App Store. It employs an army of human reviewers and tools to review submissions. Nonetheless, developers still slip malicious apps past the checks. Here are some techniques they use and what Apple could do to stop them.

Apple employs comprehensive security measures to protect its apps from malware and tampering. Users can only download applications for iOS and iPadOS from the App Store, where they first undergo a thorough review process. This comprehensive undertaking combines automated systems with human reviewers to maintain high-security standards. The company's App Review team comprises over 500 experts who must evaluate approximately 132,500 app submissions weekly, employing various tools to detect potential fraud and privacy violations. Despite these efforts, some malicious apps still manage to slip through.

Earlier this summer, 9to5Mac reported that a pirate streaming app disguised as a photo management tool managed to bypass Apple's App Store Review team by using location-based functionality to hide its true purpose.

An app called "Collect Cards: Store Box" was available on the App Store for over a year and eventually became Brazil's second most downloaded free app before getting pulled. The app showed a simple interface to Apple reviewers in the US while providing pirated content from Netflix, Disney+, Amazon Prime Video, HBO Max, and even Apple TV+ in other regions. By concealing all its streaming-related features for users in the United States, Apple employees only saw a simplified version focused on photos and videos.

Despite its precautions and screening measures, Cupertino is playing a nonstop cat-and-mouse game trying to identify and thwart developers' deceptive tactics before placing their apps in the store. Unsurprisingly, Google faces similar issues and frequently purges Google Play of hundreds of bad apps annually.

However, Apple has stopped a lot of fraudulent activity. Last year, it boasted of blocking over 153 million fake customer accounts and deactivating nearly 374 million developer accounts for fraud and abuse. It also said it detected and blocked more than 47,000 illegitimate apps on pirate storefronts from reaching users over the last 12 months. Unfortunately, bad actors continually evolve their methods, attempting to circumvent Apple's safeguards through sophisticated techniques like bait-and-switch tactics and hidden features.

Another example of location-based deception occurred in 2017 when Uber was accused of creating a "geofence" around Apple's headquarters in Cupertino. For anybody using the app within this zone, including Apple's review team, the app automatically disabled the code Uber used to fingerprint and track users across the web.

Unscrupulous developers have many more methods at their disposal besides location-based functionality. These methods exploit limitations in Apple's review process, which cannot thoroughly test apps in various locations or over extended periods.

One tactic involves using React Native and Microsoft's CodePush SDK, which allows developers to update portions of their app post-approval without submitting a new build. Another method delays geolocation API calls by a few seconds to evade detection during automated reviews.

Some developers present only basic, compliant features during the review process, later using CodePush to introduce hidden or malicious functionalities. Others distribute multiple apps with shared codebases through different developer accounts, complicating efforts to track and remove all instances.

In more deceptive cases, apps masquerade as innocent software but can transform into something entirely different after approval. It is virtually impossible to stop developers from trying such tricks.

However, 9to5Mac says Apple could improve its app submission process. For example, the review team could implement additional tests to check the software's behavior in other locations. It could also be more proactive in finding and removing scams from the App Store rather than reactive to security researchers pointing them out.

Permalink to story:

How unscrupulous developers are sidestepping Apple's extensive App Store security review

 

[FF222]

In short: Apple's argument that they're blocking sideloading and not allowing apps to be downloaded even just from 3rd party app stores without them approving the apps first FOR the sake of their customers' security and privacy and is total BS, because even with all those efforts Apple can't protect its users the slightest.

We already knew that, of course.

 

[kiwigraeme]

In short: Apple's argument that they're blocking sideloading and not allowing apps to be downloaded even just from 3rd party app stores without them approving the apps first FOR the sake of their customers' security and privacy and is total BS, because even with all those efforts Apple can't protect its users the slightest.

We already knew that, of course.

But if you ask the average iHuman , they would say Apple 100% vets bad apps
Google play has a much lower starter barrier - As allows more access to submit an app for less cost upfront

So no different than your body making decisions , go hard no cancer, but more chance of immune disorders or lax and more chance of cancer

Definitely need good permission and sandbox control.

Maybe a another tier - fully curated and ongoing vetted apps

Inherently the problem the multipurpose of a phone from apps , entertainments , to your social ID and banking

Another solution is to ringfence all highly important apps in their own partition on the phone why would you want your banks app to sit next to Honest Johns daily Tarot reading app.

If they can fence ofthe OS , they should allow another fenced area

 

[Endymio]

In short: Apple's argument that they're blocking sideloading and not allowing apps to be downloaded even just from 3rd party app stores without them approving the apps first FOR the sake of their customers' security and privacy and is total BS, because even with all those efforts Apple can't protect its users the slightest.

Next time read the article, as it states the exact opposite. No security is 100% perfect, but Apple did manage to block 1.7 million fraudulent and malicious apps. And it's amusing to note that, of the examples given of evading Apple security, one of them actually benefitted users, while the second was from a decade ago, and was caught by Apple itself:

"Apple CEO Tim Cook threatened to have Uber’s iPhone app removed from the App Store in 2015, when it learned that the ride-sharing company had secretly found a way to identify individual iPhones...."

Uber tried to fool Apple and got caught

Uber geofenced Apple’s Cupertino headquarters to hide that it was tracking iPhones

www.theverge.com

 

[FF222]

Next time read the article, as it states the exact opposite.

Next time try to comprehend the article. The article does not state the opposite of what I said. Instead it fully confirmes what I said. That's the reason why I drew my conclusions. Duh!

No security is 100% perfect, but Apple did manage to block 1.7 million fraudulent and malicious apps.

For one, that's not even what Apple states. They merely state the number of rejected apps, not the reason for their rejection. And we know Apple rejects a lot of apps also because it can't bear competiition, which would actually benefit users - so, it's Apple doing the harm by rejecting those apps.

Also, the number of rejections - even if it would only include malicious apps - is irrelevant, especially per se, because what matters is how many still got through or how many people were affected by those or how much damage that has done. But Apple does not and can not actually provide numbers on that, because it lays in the nature of those thing.

We know, however, that there were several instances where malicious apps passed Apple's check, and actually this whole article is about such instances. Of course the real numbers are far, far larger, and we actually have now no month passing that Apple doesn't fix a zero-day vulnerability (or two) in iPhones, which means a vulnerability that has been exploited for sometime already (sometimes for multiple years) to infect those devices, steal data from them, before Apple even noticed it happening.

The point is: Apple can't actually protect their users from digital threats, partly because of their (ie. Apple's) gross incompetence, partly because of how things just work. That makes it evident that they're only tying the hands of their users in order to increase their profits and limit competition, because they're really bad at what they are offering, and if there would be
real competition on their platforms, most of their customers would not choose them.

 

[Endymio]

Next time try to comprehend the article. The article does not state the opposite of what I said. Instead it fully confirmes what I said.

Because it states that (all the way back in 2015) Apple caught a developer evading its security protocols, and quickly stopped it? You'll have to do better than that to justify your anti-Apple zealotry.

For one, that's not even what Apple states. They merely state the number of rejected apps, not the reason for their rejection

Reading comprehension for the win.

"118,000 developer accounts terminated for fraudulent activity....248,000 apps rejected for spam or misleading users, 375,000 apps rejected for privacy violations ... 38,000 rejected for hidden features ...."

Sure sounds like Apple is providing protection. Not 100% foolproof of course, but your argument is like claiming that, since someone could drive a truck through your front door, why even bother locking it?

 

[FF222]

Because it states that (all the way back in 2015) Apple caught a developer evading its security protocols, and quickly stopped it?

No. Because it confirms that developers still could get around Apple's restrictions. Which part of "developers still slip malicious apps past the checks" are you exactly unable to comprehend?

Reading comprehension for the win. "118,000 developer accounts terminated for fraudulent activity....

You realize you can't substract or add number of apps to/from number of developer accounts, because those are completely different metrics measuring non-comparable things. Or that we're talking about WHY apps got rejected, or that how many malicious apps DID NOT GET REJECTED even though they should have been, not about how many apps did get reject for arbitrary reasons, right? Riiiight? No, you obviously don't understand ANY of that.

248,000 apps rejected for spam 38,000 rejected for hidden features ...."

1,700,000 - 248,000 - 38,000 -375,000 = 1,039,000

So, we have still more than 1 million apps that don't have an explicit reason declared why they got rejected. That might have been rejected because they were competition to Apple's own products - even by Apple's own admission.

And we still don't know how many malicious apps still slipped through. A 100? A 1,000? Another million? Even more?

Sure sounds like Apple is providing protection.

Yes it does. It protects its revenue stream from competitors. As for its users: no, it doesn't protect them. At all.

Not 100% foolproof of course, but your argument is like claiming that, since someone could drive a truck through your front door, why even bother locking it?

That's just your strawman, because even you know you can't argue with what I actually say. And that's that Apple's lock only keeps people and their money from leaving, and competitors from entering, but not malicious actors and apps from wreaking havoc inside the building.

 

[Endymio]

No. Because it confirms that developers still could get around Apple's restrictions. Which part of "developers still slip malicious apps past the checks" are you exactly unable to comprehend?

Absurd claptrap like this is what gives Internet forums a bad name. Bad actors "get around" password protection all the time too. Does that mean you should just leave all your accounts unprotected? No security is 100% foolproof, but Apple has blocked millions of these attempts. A small percentage get through regardless. So?

What is most ironic is that it isn't even Apple's customers complaining about their walled-garden ecosystem, but the rabid anti-Apple zealots. Nor would it make a difference to any of you fanatic true believers if Apple changed their policy here: you'd still consider their products overpriced, underperforming garbage. Personally, I feel mostly the same on the latter point -- but the free market works best when it's free. Let the consumers vote with their wallets, and dump your failed authoritarianist policies in the trashbin of history, where they belong.

So, we have still more than 1 million apps that don't have an explicit reason declared why they got rejected. That might (emphasis mine) have been rejected because they were competition to Apple's own products

Translation: let's not let the total lack of evidence stop us from assuming the worst.

None of these apps were blocked because they "compete with Apple's own products". Sell the conspiracy stories elsewhere.

 

[FF222]

Absurd claptrap like this is what gives Internet forums a bad name.

Compulsive fanboy denial of undisputable facts and logical conclusions is what gives internet forums a bad name.

Bad actors "get around" password protection all the time too. Does that mean you should just leave all your accounts unprotected?

You can't prove your false statement to be correct by asking another question implying a false conclusion. You can only make clear that you have no clue how to argue based on facts and logic.

Translation: let's not let the total lack of evidence stop us from assuming the worst.

Translation: if you've been caught making false statements and invalid conclusions, don't go on to make even more false statements and invalid conclusions, because none of them will make your original mistake go away, and you can only dig the hole deeper you're already in!


At this point this discussion is done, because you don't even try to - most likely because you finally realized you can't - argue the original points, and are merely resorting to beating straw men and trying to divert to red herrings. Your admission of defeat is accepted. GG.