How malware gets published in AppStore, and other AppStore unfair practices.

[Kato0909]

 

Summary

 An critique article about Apple's App Store review policy, methods how some malware is cheating App Store review process and anticompetitive strategies and entitlements for chosen developers.

 

Quotes

Quote

So in this article I'm going to dispute the claim that the App Store is safe, voice my complaints about the App Store review process and provide a detailed explanation (including source code) how malicious apps on the App Store conceal their functionality from the App Store review team and are able to sneak into the App Store.

 

...

 

Now here is what happens when you submit your app for the App Store review. ... basically, a random reviewer downloads the app onto their iPad, taps through all the screens and makes a decision whether to allow it or not based on their own understanding of the App Store Review Guidelines biased by their own subjective opinions and attitudes. The first thing that a malicious app can do is to connect to a remote server, send details about current user session and ask whether it should perform some malicious action that it contains.

 

...

 

Just yesterday Apple cited the same reason when rejecting an update of an accessible game that a developer who is totally blind created for other visually impaired people, saying that their game is similar to other apps in the App Store so it is considered spam. What's worse, the game was already on the App Store, people were using it, and Apple didn't allow to publish an update for it. 

 

...

 

One example of such special entitlement is com.apple.developer.pushkit.unrestricted-voip. It's not listed in the developer documentation and Apple doesn't grant it freely. The only ways to find about its existence are if Apple confidentially tells you about it or you stumble upon it while inspecting apps like WhatsApp, Signal or Telegram, which all have that entitlement.

 

My thoughts

This article is from the same author who recently got ignored by Apple in their bug bounty program about three iOS 0-day vulnerabilities (one is silently fixed in iOS 14.7)

https://linustechtips.com/topic/1375750-apple-failed-to-fix-zero-days-and-ignore-person-who-found-them/

 

This is another proof that AppStore is not fully secure, is not free of scam and malware and Apple's practices are not ideal, contrary to their claims. And it is another flawed point in Apple's defence straregies on the matter why AppStore is the only allowed app distributing platform on iOS and iPadOS. But I can't really say that I am surprised.

 

 

Sources

 https://habr.com/en/post/580272/

 

 

 

[Kato0909]

I am new to the forum, it's my first post. I`m not a bot i swear >_>

[Somerandomtechyboi]

10 minutes ago, Kato0909 said:

I am new to the forum, it's my first post. I`m not a bot i swear >_>

Thats something a bot would say

[RedRound2]

Any process that involves a human would not be perfect. I'm not sure what's the new news here

 

But having unrestricted access to the store, where anyone can publish anything will definitely have more malware apps than the App store. It's all about probablity of coming across such an app at that point. And im not even sure how Apple can completely make the App store 100% malware free, apart from acting on it as soon as it is known

 

Yes, arbitary rules open to interpretation is something they can and should improve. Hoepfully with external link payment allowed from now on, a lot of issues pertaining to payments would be solved, like floatplane for example

[Kato0909]

1 minute ago, Somerandomtechyboi said:

Thats something a bot would say

I am a real human with flesh and eyes, I enjoy ..uhm.. nature.

[Somerandomtechyboi]

11 minutes ago, Kato0909 said:

I am a real human with flesh and eyes, I enjoy ..uhm.. nature.

Still sus

[Blademaster91]

25 minutes ago, RedRound2 said:

And im not even sure how Apple can completely make the App store 100% malware free, apart from acting on it as soon as it is known

Apple has complete control over the app store,charges its devs $100 per year to have access to publish apps, and devs need a mac or ios to develop apps, so the app store shouldn't have any malware on it. I don't see how malware on the app store is excusable when apple tells you they care about security so much, yet ignore zero day vulnerabilities.

[Sauron]

Quote

If that API is in Objective-C, it can be called dynamically through Objective-C runtime, for example, we can address a class GKLocalPlayerInternal (which is used in gamed exploit) like that NSClassFromString("GKLocalPlayerInternal"]). GKLocalPlayerInternal is contained in the list of private API so it's being searched for inside the binary. However, there are many ways you can conceal it. Simply splitting it into a few parts like that NSClassFromString(["GKLoc","lPlayerInternal"].joined(separator: "a")) is enough to be undetected by static analysis.

...if this is true, it's absolutely insane. This essentially makes Apple's check completely worthless. I would assume every app in the store is malware if it's this easy to get around system restrictions.

 

I mean - static string checks? Really, Apple? What? At the very least this stuff should be checked at runtime, you know, so you know what is actually being accessed.

Quote

Uber app was checking if a user is near Apple headquarters in Cupertino and if that was the case, the malicious code would not be executed to avoid detection by Apple employees.

I'm not even sure this requires comment, just... wow.

[Sauron]

1 hour ago, RedRound2 said:

And im not even sure how Apple can completely make the App store 100% malware free

If they can't then maybe they should stop pretending they can, in court.

[Kato0909]

12 minutes ago, Sauron said:

If they can't then maybe they should stop pretending they can, in court.

Yes, this.

[Kato0909]

1 hour ago, Somerandomtechyboi said:

Still sus

Me, sitting in my amogus socks: I`m not sus!

[Somerandomtechyboi]

13 minutes ago, Kato0909 said:

Me, sitting in my amogus socks: I`m not sus!

Ok i think i should stop memifying this thread xD

[Dracarris]

40 minutes ago, Sauron said:

If they can't then maybe they should stop pretending they can, in court.

They never claimed anything to be 100%.

[Sauron]

1 hour ago, Dracarris said:

They never claimed anything to be 100%.

As it stands, any claim that their controls offer a better than chance probability an app is malware-free are to be considered lies.

[Distinctly Average]

1 hour ago, Sauron said:

As it stands, any claim that their controls offer a better than chance probability an app is malware-free are to be considered lies.

Thing is, we see very few reports of malware being on the app store. It would be interesting to see actual figures from a reliable source comparing numbers of downloads to infections on various app stores including Apple and Android  When I see articles like this, I would be looking for evidence to show there was indeed a problem. 

[wanderingfool2]

5 hours ago, Blademaster91 said:

Apple has complete control over the app store,charges its devs $100 per year to have access to publish apps, and devs need a mac or ios to develop apps, so the app store shouldn't have any malware on it. I don't see how malware on the app store is excusable when apple tells you they care about security so much, yet ignore zero day vulnerabilities.

No matter how perfect you try to build a system, it will always have faults and will always have ways of getting malware.  The way malware gets onto the App store, I don't really have a problem with really.  I've known about that way for a while, but it should be said getting malware onto the app store is at least harder than lets say playstore...but I argue solely because getting any Apps onto Apple app store requires a lot more work (because there is an actual review process that can have your app denied for pretty much any reason...including having an app that is too common, lets say a calculator).

 

I do agree though, the ignoring of the zero-day is bad and is what should be focused on.

 

4 hours ago, Sauron said:

...if this is true, it's absolutely insane. This essentially makes Apple's check completely worthless. I would assume every app in the store is malware if it's this easy to get around system restrictions.

Well it prevents "honest" developers from using the undocumented private API's (the ones that Apple is allowed to use because they are special).  While using the API's, and hoping not to get caught would be one thing, using the API's and intentionally obfuscating it I would image would get you banned from the App store.  It's not like these API's instantly grant a lot more access to data, one still has to exploit the API call.  I do think that it likely is this easy to get around the restriction, but as I said above, I think there are enough roadblocks to be put in place to make it less tempting.

 

I think the telling thing here though is that it's Apple being Apple again, in that it shows a bit more clearly that there are internal API's that some companies are allowed while others aren't allowed, which of course gives Apple (and the companies they share the API with) an unfair advantage.  Given that the vulnerabilities all related to the hidden API's, I suspect that there is in general less care given to them to prevent exploits.

[Sauron]

1 hour ago, Distinctly Average said:

Thing is, we see very few reports of malware being on the app store.

Very few? Relative to what? Just because they aren't being found doesn't mean they aren't there. Are you checking every single sketchy app that's on the App Store? Because Apple clearly isn't...

48 minutes ago, wanderingfool2 said:

Well it prevents "honest" developers from using the undocumented private API's (the ones that Apple is allowed to use because they are special).  While using the API's, and hoping not to get caught would be one thing, using the API's and intentionally obfuscating it I would image would get you banned from the App store.

The blog post mentions a few legitimate apps using this to get around the limitations of old versions of iOS. Uber did not get banned for circumventing the rules with open malicious intent - so I'd say there's a pretty slim possibility of being banned for this, not that anybody seems to be checking anyway.

[RedRound2]

10 hours ago, Blademaster91 said:

Apple has complete control over the app store,charges its devs $100 per year to have access to publish apps, and devs need a mac or ios to develop apps, so the app store shouldn't have any malware on it. I don't see how malware on the app store is excusable when apple tells you they care about security so much, yet ignore zero day vulnerabilities.

$100 is literally nothing for most people for a year. No devs complain about it and you are free to develop an iOS app without dev account and you only need to get one if you want to publish something to the app store.

You only need Mac to develop on Xcode. You can use flutter, react, visual studio and numerous other IDEs and lagunages to develop for iOS on windows. Craig Federighi himself has told that anyone is free to develop a cohesive iOS dev platform on Windows, just that Apple wont do it.

9 hours ago, Sauron said:

If they can't then maybe they should stop pretending they can, in court.

Did they say iOS was a hundred percent secure? They did say it was more secure than other operating systems, which it is. More safer than Windows, macOS and android. And the reason why it is like that is because of the App store reviews. 

 

It's stupidly naive to insinuate that a human process on a human coded operating system is gonna be hackproof just because it does much better than other platforms

[Distinctly Average]

6 minutes ago, Sauron said:

Very few? Relative to what? Just because they aren't being found doesn't mean they aren't there. Are you checking every single sketchy app that's on the App Store? Because Apple clearly isn't...

The only way you or I can know are from media reports. I am sure if many people were getting bricked iPhones, scammed, subject to fraud due to flaws in apps then we would hear of it. Apple are probably the most scrutinised brand in IT for things like this and every little thing gets picked up on. We are not inundated with people crying into their soup after loosing their hard earned. We can speculate but to be fair we have to take all the evidence available to us.

 

I am not trying to defend Apple here, far from it. I just believe we need some context, something we really do not have.

[Sauron]

29 minutes ago, RedRound2 said:

Did they say iOS was a hundred percetn secure. They did say it was more secure than other operating systems, which it is. More safer than Windows, macOS and android. And the reason why it is like that is because of the App store reviews. 

Citation needed my friend. Clearly App Store security isn't doing anything if Uber can just spy on customers through their Apple approved store app and only get caught by independent researchers. Nothing about iOS itself seems to make it more secure if you can just access high privilege system APIs at will and the store is unable to catch that. So... what exactly makes it safer in your opinion? Other than Apple just claiming it is...

32 minutes ago, RedRound2 said:

It's stupidly naive to insinuate that a human process on a human coded operating system is gonna be hackproof just because it does much better than other platforms

Yeah, good thing I'm not the one doing that...?

 

If anyone is making claims about Apple's high security performance it's you, and you're painfully short on evidence.

29 minutes ago, Distinctly Average said:

I am sure if many people were getting bricked iPhones, scammed, subject to fraud due to flaws in apps then we would hear of it.

We literally do.

 

https://www.tomsguide.com/news/iphone-apps-infected-malware

 

Are 1200 apps infected with the same malicious code enough evidence of a potentially more widespread problem for you? It's not just random no-name developers doing this either, Uber was caught doing this. Granted, these don't brick your phone - why would they? It's much more profitable to log your data.

 

And hey, just to be clear: Google is no better in this regard https://www.bleepingcomputer.com/news/security/new-android-malware-steals-millions-after-infecting-10m-phones/

 

...but at least they don't prevent me from sideloading another store with the excuse of "security". Oh, and they tend to fix 0-days when they are reported rather than banning the researchers from the store and ignoring the problem.

[Kid.Lazer]

Quote

The malicious activity will stop if the SDK detects that it is running on a rooted phone or if debugging software is being used — both tools commonly used by security researchers.

That's pretty shocking especially since rooting and unlocked boot-loaders are strictly forbidden by every major manufacturer "for your safety."

[Distinctly Average]

47 minutes ago, Sauron said:

Citation needed my friend. Clearly App Store security isn't doing anything if Uber can just spy on customers through their Apple approved store app and only get caught by independent researchers. Nothing about iOS itself seems to make it more secure if you can just access high privilege system APIs at will and the store is unable to catch that. So... what exactly makes it safer in your opinion? Other than Apple just claiming it is...

Yeah, good thing I'm not the one doing that...?

 

If anyone is making claims about Apple's high security performance it's you, and you're painfully short on evidence.

We literally do.

 

https://www.tomsguide.com/news/iphone-apps-infected-malware

 

Are 1200 apps infected with the same malicious code enough evidence of a potentially more widespread problem for you? It's not just random no-name developers doing this either, Uber was caught doing this. Granted, these don't brick your phone - why would they? It's much more profitable to log your data.

 

And hey, just to be clear: Google is no better in this regard https://www.bleepingcomputer.com/news/security/new-android-malware-steals-millions-after-infecting-10m-phones/

 

...but at least they don't prevent me from sideloading another store with the excuse of "security". Oh, and they tend to fix 0-days when they are reported rather than banning the researchers from the store and ignoring the problem.

Any app that gathers information could be considered malware. That includes the web browser. While this particular is bad, it does depend a lot on the definition of malware. Apple state they don’t believe it negatively affects users, again the users may have a different opinion.  In many ways that above code is more spyware which for many companies is fine. It does get a bit duplicitous when  Apple go very out of their way to block one brand, then ignore others. 
 

As you say, IOS, and Android are guilty, so are M$, Linux and most browser companies. Not saying it is right, just that there is a widespread issue when it comes to spyware.

 

We still have very little in the way of figures regarding to actual damage done, is doubt we ever will. If however a particular app or OS does cause a major issue I am sure it will be shouted about in the press, especially so when it is Apple.

[WhitetailAni]

3 minutes ago, Distinctly Average said:

Any app that gathers information could be considered malware.

Malware: Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

What you're talking about is spyware, defined as:
Software that enables a user to obtain covert information about another's computer activities by transmitting data covertly.

[IkeaGnome]

But Apple can't get viruses!

/s

[Distinctly Average]

9 minutes ago, FakeKGB said:

Malware: Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

What you're talking about is spyware, defined as:
Software that enables a user to obtain covert information about another's computer activities by transmitting data covertly.

Which is why I called it spyware in the next part of my post