Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Pirated Movie App Disguised as Vision Test Snuck Onto App Store

deepspacecowboy said:
So what’s the point of app review in the first place?
Click to expand...
Well IMO they shouldn't let web wrappers in.. it appears that is what this app is, simply embedding an external site so they changed content once it was approved. I could have swore there was an App Store policy that prohibited submitting an app that was just a website wrap
 
  • Like
Reactions: G5isAlive, dk001 and deepspacecowboy
waterskier2007 said:
People blaming Apple here likely have no idea how apps can function. It’s entirely possible this is either a web app that changed the functionality once it was approved, or if it is a native app, they probably had a remote feature flag that they changed after the app was approved. Both are incredibly simple to implement.

I’m not saying I guarantee Apple is not at fault, but there are VERY simple ways to get past app review and then completely change up the app functionality.
Click to expand...

Help me understand. If this is the case, what does that say about security of the App Store?

And are there a flood of apps that are currently in the store that are flying under the radar?
 
  • Like
Reactions: gusmula, freedomlinux, Oblivious.Robot and 4 others
coolfactor said:
There needs to be accountability. They know who clicked "Approve". That person needs to be brought in for their own review and enhanced training.

Apple should publish this type of info — "Johnny B. approved this app on March 7, 2023". Put the name out there for the public to see.
Click to expand...

um no. just plain no. Perhaps I missed the /s on your comment. This is and should remain an internal Apple matter. Sorry if I missed the joke.
 
  • Like
Reactions: gusmula, Tim Apple’s Glasses, Jumpthesnark and 1 other person
icanhazmac said:
I wonder what/who is to blame here. Does Apple place an unrealistic goal of apps per day on their testers or did one of these folks wake up one day feeling a little lazy?
Click to expand...
This is unlikely to be a very well-payed job, and is prone to become all a blur after the first couple hundred of app submission reviews. It's a rather thankless task, and Apple probably allows for too little time per review. Anyone really qualified will likely be looking for a more interesting job elsewhere. One thing they could do is to have each submission be reviewed by three or five people independently, and have a majority vote taken.

Edit: Something like #36 is probably correct.
 
Last edited:
  • Like
Reactions: AppliedMicro, icanhazmac and steve09090
I kind of always imagined that Apple had the ability/policy to decompile the source code of all submitted apps and have it automatically checked for signs of nefarious intent, but I guess either they don’t or it’s very difficult to detect.
 
Here's how it got approved:

1. When the App Review team opened it, the app was a vision test. It sent up a request to a URL that has a yes/no flag to turn on the free movies, and the server returned "no".

2. Apple approved the app as a vision test.

3. The developer then switched the flag on the server to a "yes". When the app detected a yes from users who download the app and opened it, it then just shows all the views needed to display the movie stuff.

It's super simple to trick Apple's App Store QA process. It's honestly a false sense of security, like a gated-community. They are still easy to rob, they just put up enough barriers to make it so that you need to know what you're doing.

It's like security by obfuscation. It's not really that secure.
 
  • Like
  • Wow
Reactions: blotchy-veil, gusmula, Tim Apple’s Glasses and 10 others
ethanwa79 said:
Here's how it got approved:

1. When the App Review team opened it, the app was a vision test. It sent up a request to a URL that has a yes/no flag to turn on the free movies, and the server returned "no".

2. Apple approved the app as a vision test.

3. The developer then switched the flag on the server to a "yes". When the app detected a yes from users who download the app and opened it, it then just shows all the views needed to display the movie stuff.

It's super simple to trick Apple's App Store QA process. It's honestly a false sense of security, like a gated-community. They are still easy to rob, they just put up enough barriers to make it so that you need to know what you're doing.

It's like security by obfuscation. It's not really that secure.
Click to expand...
If it’s this easy then there are thousand and thousands of corrupt apps on the store.
 
  • Like
Reactions: dk001
It would be much more secure to install an app from a recognized Trademark owner's website... Microsoft.com let's say (has worked for decades for MacOS). The App Store has so many scam apps leveraging Trademark searches. No way Apple can screen the apps, and I do not believe Apple has any real desire to limit ad dollars for searches on TM names. Yet Apple falsely claims they curate everything creating a very damaging FALSE sense of security for the average user. Of course locking everything into a store controlled by Apple and skimming 30% is a strong incentive to keep the ball rolling. Hard to believe with just about 1K Vision Pro apps that reviewers missed this. Well maybe not given the level of scam apps in the iPhone store.
 
  • Like
Reactions: gusmula, Samplasion, Evil Lair and 5 others
coolfactor said:
There needs to be accountability. They know who clicked "Approve". That person needs to be brought in for their own review and enhanced training.

Apple should publish this type of info — "Johnny B. approved this app on March 7, 2023". Put the name out there for the public to see.
Click to expand...
That’s just insane. Apple wouldn’t find anybody anymore who wants to click the Approve button.
 
  • Like
Reactions: User 6502 and Jumpthesnark
As somebody who has submitted >1000 app versions to the App Store, I am occasionally astonished when an app gets approved within 10 minutes of submission. I assume some of the testers are not diligent. Whoever approved this piracy app -- somebody should verify all the other apps they've been approving.
 
  • Like
Reactions: Jumpthesnark and AppliedMicro
coolfactor said:
There needs to be accountability. They know who clicked "Approve". That person needs to be brought in for their own review and enhanced training.

Apple should publish this type of info — "Johnny B. approved this app on March 7, 2023". Put the name out there for the public to see.
Click to expand...
You’re delusional. The one that is accountable is Apple.
 
  • Like
Reactions: freedomlinux, Lyrics23, User 6502 and 1 other person
ethanwa79 said:
Here's how it got approved:

1. When the App Review team opened it, the app was a vision test. It sent up a request to a URL that has a yes/no flag to turn on the free movies, and the server returned "no".

2. Apple approved the app as a vision test.

3. The developer then switched the flag on the server to a "yes". When the app detected a yes from users who download the app and opened it, it then just shows all the views needed to display the movie stuff.

It's super simple to trick Apple's App Store QA process. It's honestly a false sense of security, like a gated-community. They are still easy to rob, they just put up enough barriers to make it so that you need to know what you're doing.

It's like security by obfuscation. It's not really that secure.
Click to expand...
Apple has built a closed-source ecosystem. It comes with the territory.

People might wonder why open-source is important. Well this is a good example of why.
 
  • Like
Reactions: Samplasion
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back