Apple’s App Store Review Process Breaks Down Too Often

3 minute read
| Particle Debris

The Particle Debris article of the week comes from a Zak Doffman at Forbes.

I have written before about the annoying fact that the App Store approval process can’t always catch bad app behavior until it’s observed during testing by skilled researchers. In this case…

A new report from the research team at Wandera claims that 17 apps from one developer load a malicious clicker trojan module on an iOS device.

Intriguing is Apple’s response—which seems a bit weak.

Apple says that the apps in question have been removed from the App Store, and upon examination did not contain the trojan malware as claimed. Instead, the apps were removed for including code that enabled the artificial click-through of ads. A spokesperson for Apple confirmed the removal of the apps and that the App Store’s protective tools have been updated to detect similar apps in the future.

You can read both sides of the story in the article I linked to. But even if the situation weren’t as bad as Apple claims, the fact remains that 1) Apple removed the apps and 2) “protective tools have been updated to detect similar apps in the future.”

This doesn’t make me feel particularly comfortable that Apple’s review process is as robust as it should be. Perhaps the new metric shouldn’t be the number of apps approved, but rather how thoroughly screened they are. Apple is too big and resourceful to have misbehaving apps seep through the cracks in its review process.

The Week’s News Debris

• macOS Catalina won’t run 32-bit apps. But there may be good reasons not to delete them. Glenn Fleishman at Macworld explains.

• In a very, very few cases, the macOS Catalina install is bricking the Mac. It’s something to be aware of but not fret over. “Limited reports of Catalina installation bricking some Macs via EFI firmware.

It’s clear from the number of reports that this is affecting a number of machines. Equally, there would be a lot more noise if this was a very widespread issue, so all we can say for now is that it appears to be a serious problem affecting a limited number of Macs, with no obvious pattern emerging as yet.

• Are you a bit dazzled and frustrated by the honeycomb display of apps on the Apple Watch? The Verge has the remedy. “How to change the Apple Watch’s honeycomb app display to a list.” And back.

• There are many VPNs to chose from, but picking the best, most responsible, is essential. The Telegraph presents its analysis. “The best VPNs to protect your data, browser, iPhone, Android and more.” ExpressVPN tops the list.

All VPNs aren’t created equal and, in such a crowded market, it’s very important that you do your research to ensure your VPN of choice is secure. Largely, the cheapest options fall short.

Firstly, you need to select a VPN with a no-log policy. Without one, the VPN service itself will be able to track and log what you do online. Where safety is considered, the lack of a no-log policy comes with clear concerns.

• Have you been itching to buy a new Mac Pro? Digital Trends writes: “Your chance to buy Apple’s $6,000 Mac Pro has almost come.

• Finally, Jonny Evans at Apple Must has some thoughts about Apple TV+ and why content ownership can lead to innovation and experimentation that couldn’t otherwise be achieved. “Apple TV+ will be a playground of possibility.”

The principle of this is solid — in that as the company identifies features missing on conventional existing TV services it can introduce them, experiment with them, and ultimately create cool content people want to see that they then get to experience through the world’s best television watching interface.

Apple always plays the long game while some observers like to focus on Apple’s initial limitations with a product. But Jonny is on to something here, and he provides several intriguing example of what Apple might be able to with 100 percent control of its own TV content down the line.


Particle Debris is a generally a mix of John Martellaro’s observations and opinions about a standout event or article(s) of the week followed by a discussion of articles that didn’t make the TMO headlines, the technical news debris. The column is published most every Friday except for holiday weeks.

6
Leave a Reply

Please Login to comment
4 Comment threads
2 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
4 Comment authors
wab95brilormschmitt Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Member
Jessie Grayskull

And this is why people should be using VPNs on their phones. Sure, they aren’t catch-alls, but anything you can do to secure your network is worth doing. I have ExpressVPN on my iPhone, but there are tons of other, cheaper options that work well too.

wab95
Member
wab95

John: Your lede article raises a number of questions, but at core for the security professionals has to include the methods and metrics by which malicious code is identified prior to release. In addition to mschmitt and @brilor comments is Doffman’s reporting in the Forbes piece on how these apps were identified, which was post release by a third party using a performance metric, and then working backwards to identify both the offending app, its siblings, and parent company. “Wandera says it discovered the malicious apps when its monitoring platform detected network traffic back to the external C&C server. “That… Read more »

brilor
Member
brilor

Rather than yanking apps, Apple should consider permanent developer/company bans. All seventeen apps were from the same Indian developer. Following that logic, Apple could do more to vet new developers before granting them access and code signing certificates. As MSchmitt notes in his post, the review team has limited access and is really just looking at standards compliance, and notarization is looking for obvious malware. Maybe new developers should only be allowed one app on the store until they have a proven history.

mschmitt
Member
mschmitt

I wouldn’t be that hard on Apple for not detecting all misbehaving apps.

Can tools find all evil code? No, due to the halting problem.

Can the human reviewers find all evil code, even if they know exactly what they’re looking for? No, because there are no limits to the ingenious ways of disguising code behavior. For amazing examples, see the Obfuscated C contest.

mschmitt
Member
mschmitt

Whoops, wrong contest. I meant the Underhanded C Contest, where the goal is to write code that is clear, innocent and straightforward and yet performs some underhanded task that will not be detected by examining the source code — pretty much the opposite of the obfuscated C contest.

brilor
Member
brilor

Can the human reviewers find all evil code?

And this assumes access to the app’s source code, which Apple’s review team does not.