How Developers Trick the App Store into Approving Malicious Apps

We recently reported on how a number of pirated iOS streaming apps managed to gain approval on the App Store by cheating the review process. While we briefly touched on some of the techniques used by these developers, 9to5Mac now takes a closer look at how these apps are designed to deceive Apple.

Techniques used by developers to bypass the App Store review

Last month, an app called “Collect Cards” topped the App Store’s most downloaded free app rankings in some countries. After our report, Apple removed the app—but many other versions of the same app were later released on the App Store. But how exactly do developers manage to fool the App Store’s review team?

In our original report, we explained that these apps use geofences to prevent anyone at Apple from seeing what the app is actually capable of. But by analyzing the code behind these apps, we now have a better idea of ​​how this is done.

As we’ve gathered, these apps share the same codebase—even if they’re distributed by different developer accounts. They’re built on React Native, a cross-platform JavaScript framework, and they use Microsoft’s CodePush SDK, which lets developers update parts of their apps without having to submit a new build to the App Store.

Building a React Native app and using CodePush is not against the App Store’s policies. In fact, there are many popular apps that do this. However, malicious developers are using these technologies to bypass the App Store review.

One of the applications we analyzed 9to5Mac points to a GitHub repository that appears to host files for a number of pirated streaming apps. This app also uses a specific API to check the device’s location based on its IP address. It returns data such as country, region, city, and even estimated latitude and longitude.

When the app is first opened, it waits a few seconds to call the geolocation API. This way, the App Store’s automated review process doesn’t see anything unusual in the app’s code. We also checked the app’s behavior by running it through a proxy server to spoof our location in San Jose, California. For this location, the app never reveals its hidden interface.

Once Apple approves an app with its basic functionality, developers use CodePush to update it with whatever they want. The app then reveals its real interface in “safe” locations.

What can Apple do about it?

Of course, Apple isn’t immune to apps trying to trick its review system. But the company could improve it by implementing additional tests to check how apps behave in other locations. At the same time, Apple should be more proactive in finding and removing scam apps from the App Store.

In 2017, Uber was accused of working on a “geofence” for Apple’s Cupertino headquarters. When the app was run inside the geofence, it would automatically disable the codes used to fingerprint and track the user across the web. Still, Apple doesn’t seem to have done much to prevent other situations like this from happening.

In 2021, documents revealed that the App Store Review team has more than 500 experts who review more than 100,000 apps each week. Still, the vast majority of apps go through automated review processes to see if they violate App Store guidelines before they are put through the manual review process.

After our articles were published, an Apple spokesperson said: 9to5Mac that the apps had been removed from the App Store, but no details were provided about the measures the company had taken to prevent similar apps from being approved.