In a nutshell: Apple continually touts its extensive approach to security for its apps and App Store. It employs an army of human reviewers and tools to review submissions. Nonetheless, developers still slip malicious apps past the checks. Here are some techniques they use and what Apple could do to stop them.
Apple employs comprehensive security measures to protect its apps from malware and tampering. Users can only download applications for iOS and iPadOS from the App Store, where they first undergo a thorough review process. This comprehensive undertaking combines automated systems with human reviewers to maintain high-security standards. The company’s App Review team comprises over 500 experts who must evaluate approximately 132,500 app submissions weekly, employing various tools to detect potential fraud and privacy violations. Despite these efforts, some malicious apps still manage to slip through.
Earlier this summer, 9to5Mac reported that a pirate streaming app disguised as a photo management tool managed to bypass Apple’s App Store Review team by using location-based functionality to hide its true purpose.
An app called “Collect Cards: Store Box” was available on the App Store for over a year and eventually became Brazil’s second most downloaded free app before getting pulled. The app showed a simple interface to Apple reviewers in the US while providing pirated content from Netflix, Disney+, Amazon Prime Video, HBO Max, and even Apple TV+ in other regions. By concealing all its streaming-related features for users in the United States, Apple employees only saw a simplified version focused on photos and videos.
Despite its precautions and screening measures, Cupertino is playing a nonstop cat-and-mouse game trying to identify and thwart developers’ deceptive tactics before placing their apps in the store. Unsurprisingly, Google faces similar issues and frequently purges Google Play of hundreds of bad apps annually.
However, Apple has stopped a lot of fraudulent activity. Last year, it boasted of blocking over 153 million fake customer accounts and deactivating nearly 374 million developer accounts for fraud and abuse. It also said it detected and blocked more than 47,000 illegitimate apps on pirate storefronts from reaching users over the last 12 months. Unfortunately, bad actors continually evolve their methods, attempting to circumvent Apple’s safeguards through sophisticated techniques like bait-and-switch tactics and hidden features.
Another example of location-based deception occurred in 2017 when Uber was accused of creating a “geofence” around Apple’s headquarters in Cupertino. For anybody using the app within this zone, including Apple’s review team, the app automatically disabled the code Uber used to fingerprint and track users across the web.
Unscrupulous developers have many more methods at their disposal besides location-based functionality. These methods exploit limitations in Apple’s review process, which cannot thoroughly test apps in various locations or over extended periods.
One tactic involves using React Native and Microsoft’s CodePush SDK, which allows developers to update portions of their app post-approval without submitting a new build. Another method delays geolocation API calls by a few seconds to evade detection during automated reviews.
Some developers present only basic, compliant features during the review process, later using CodePush to introduce hidden or malicious functionalities. Others distribute multiple apps with shared codebases through different developer accounts, complicating efforts to track and remove all instances.
In more deceptive cases, apps masquerade as innocent software but can transform into something entirely different after approval. It is virtually impossible to stop developers from trying such tricks.
However, 9to5Mac says Apple could improve its app submission process. For example, the review team could implement additional tests to check the software’s behavior in other locations. It could also be more proactive in finding and removing scams from the App Store rather than reactive to security researchers pointing them out.