Aug 07, 2024 07:00:00

How can malicious developers trick the App Store review process?

While the App Store, Apple's app store, distributes many apps that enrich our lives, it also distributes inappropriate apps by malicious developers. Technology media 9to5Mac explains why such malicious apps pass Apple's review.

How developers trick App Store into approving malicious apps

https://9to5mac.com/2024/08/02/developers-trick-app-store-review/

The app '

Collect Cards: Store box ', released in November 2023, at first glance appears to be an app for managing photos and videos, but in reality it is a pirated streaming platform that includes content from Netflix, Disney+, Amazon Prime Video, HBO Max, and Apple TV+.

Collect Cards: Store box has been popular and was once ranked second in the free app rankings in the Brazilian App Store. In response to 9to5Mac's report, Apple has removed Collect Cards: Store box from the App Store. However, it seems that many similar apps have been released on the App Store even after Collect Cards: Store box was removed. 9to5Mac explains how these apps passed Apple's review.

According to 9to5Mac, the apps used

geofencing to hide their true identity as pirate streaming platforms from Apple, and 9to5Mac also analyzed the apps' code.

After some investigation, it turned out that the apps were built on React Native , a cross-platform JavaScript framework, and used Microsoft'sCodePush Management SDK , which allows them to update parts of the apps without having to submit a new build to Apple.

Apple does not prohibit the building of React Native apps and the use of the CodePush Management SDK, and malicious developers are using these technologies to circumvent the App Store review process. In fact, when these apps were accessed from San Jose, California, where Apple's headquarters are located, they hid their identity as a pirate streaming platform and disguised themselves as apps with other functions that would not affect the review.

Once Apple approves the app, the developer uses the CodePush Management SDK to make updates, revealing a side of the app that was hidden during the review process: that of a pirate streaming platform.

There have been numerous reports of geofencing efforts into the screening process, with Uber

accused of geofencing Cupertino, where Apple's headquarters used to be, in 2017. When the app was launched within the geofence, the code used to fingerprint and track users across the web was automatically disabled.

9to5Mac suggested that 'implementing additional tests to verify app behavior in multiple locations would be a step forward against apps that try to trick the review system,' and that 'Apple needs to be more proactive in finding and removing fraudulent apps from the App Store.'