Techniques used by developers to bypass App Store review

Even if Apple were to defeat the geofencing trick, it&#x27;s trivial to hide behavior:<p>1. Make an API call to your server with the build number of the app.<p>2. Have that API response control whether the &quot;secret&quot; features are available.<p>3. Only enable each build&#x27;s secret features once it&#x27;s passed review.<p>4. Profit?<p>No dynamic&#x2F;interpreted code required.<p>And there are sufficient variations on this that I would guess it&#x27;s reducible to the halting problem and thus undecidable.

For those curious, here is Apple’s language on dynamic updates like what codepush allows: <a href="https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;react-native-code-push#store-guideline-compliance">https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;react-native-code-push#store-gu...</a><p>“Executable Code Except as set forth in the next paragraph, an Application may not download or install executable code. Interpreted code may be downloaded to an Application but only so long as such code: (a) does not change the primary purpose of the Application by providing features or functionality that are inconsistent with the intended and advertised purpose of the Application as submitted to the App Store, (b) does not create a store or storefront for other code or applications, and (c) does not bypass signing, sandbox, or other security features of the OS.”

I just used a time based trick when I needed to push through behavior that apple didn&#x27;t like. 20 days after submitting the app one of the buttons changed it&#x27;s behavior to allow a &quot;File Open&quot; dialog to go directly to the users root directory.

Sidenote: the vast majority of scam apps seem to take people&#x27;s money using recurring weekly subscriptions.<p>There are use cases for non-recurring week passes (eg. VPN app for a week during travel) but recurring weekly payments should require manual approval. Not all apps should be allowed to charge weekly recurring payments.

Calling a piracy app &quot;malicious&quot; seems like a huge stretch. Am I missing something, or was this written by the copyright holders?

&gt; <i>In 2021, documents revealed that the App Store Review team has more than 500 human experts to review more than 100,000 apps every week.</i><p>Ignoring the weasel wording in the sentence, and assuming the reviewers dedicate 100% of their time to reviewing and a standard work week, that&#x27;s ≈12 minutes per app.

There are telegram channels&#x2F;groups with thousands of people interested in the latest app that will survive the app store review and use it until apple takes action and cycle goes on. There are also a market for signing certificates and apple developer machines spots so more tech savvy audience could sign and install the IPAs directly.

The US desperately needs some DMA-like legislation, one company shouldn&#x27;t be able to hold 60%+ of US users hostage when it comes to installing the apps they want to use.<p>Similarly, two companies, Apple and Google, shouldn&#x27;t be able to keep 15% to 30% of all revenue generated in the entire mobile app market.

&quot;Pirate streaming apps&quot; ?<p>I thought it was about how they get Apple to allow those $50&#x2F;month subscriptions for the flashlight apps...

Tons of apps are just a webview of a remote webpage. They update every time the server updates the page. No review required.

There are many more ways to do this. Most of iOS developers who ever published apps know that.<p>Hiding a functionality from Apple is a ticket to account and company ban and is not worth the hassle. Unless it was the intention of the whole enterprise.

We&#x27;re looking at the wrong problem. The real problem is that developers have to pass (and bypass) reviews at all.<p>I would not mind Apple doing whatever the reviews they want with their own private AppStore if I, the user, could install whatever app I need on the device that I bought by downloading it directly from developer&#x27;s website.<p>Apple maliciously tries to stand between developers and users, with the intent of extortion. Big Brother 2024.

How do these apps like collect cards reach the top of the app store to begin with? Is it because they are simply masquerading as piracy apps? And piracy apps are downloaded a lot?

Sadly Apple doesn&#x27;t need to be tricked to let spammy and scammy apps into the store. All that song and dance about protecting users is just marketing.

Even if it was completely reliable at preventing malicious apps, I couldn&#x27;t imagine being on a platform that required their permission to run a given piece of code. The fact that it&#x27;s not reliable makes it even harder to understand why people accept it.

But how do developers trick App Store into approving <i>legitimate</i> apps?

&gt; They’re built on React Native, a cross-platform framework based on JavaScript, and use Microsoft’s CodePush SDK which allows developers to update parts of the app without having to send a new build to the App Store<p>I don’t see a reason to name Microsoft’s solution specifically.<p>Firstly, there are other alternatives; also, Microsoft is shutting down parts of their offering; finally, JS apps are comparatively easy to update - even without a tool like this too.

Some apps apparently only go through a human after they gain enough traction, as evidenced by the Skacz Kurwa incident:<p><a href="https:&#x2F;&#x2F;youtu.be&#x2F;Cw7wke_FtuI?si=3b6f3Ohd4wb_0xVS" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;Cw7wke_FtuI?si=3b6f3Ohd4wb_0xVS</a><p>Despite (and due to) its very much non-family-friendly title it managed to gain considerable attention before being taken down.

What has happened to Phil ?

Newsflash: Apple doesn&#x27;t care.<p>I&#x27;ve reported malicious apps.<p>Provided detailed evidence, etc.<p>Their security team told me to fuck off.<p>So I went back to my daily life...<p>At least I can say I tried. Security doesn&#x27;t matter; it&#x27;s the appearance of security that does.<p>Apple is like the walled fortress with armed guards in freshly pressed uniforms that wave most people through the gate and never check their trunks.

100% unrelated: how sites trick users into ‘approving’ cookies.<p>That site has the most evil consent UI I’ve seen. Not only does it require you to click zillions of checkboxes to withdraw consent, while allowing you to give it with a single click, it also hides most of them behind a “more” button. It’s amazing how many companies claim to have legitimate interest in tracking things…

I did a short stint for a startup in Korea whose top investor wanted us to get around Apple and Google&#x27;s 30% cut. After explaining the ToS and how the exemptions didn&#x27;t apply to us, she set up a meeting with developers from another company she invested in. Those devs, with great smiles on their faces, proceeded to show a remote config that toggled which payment flow a user went through, depending on whether the app version was currently pending review

There is a popular sports streaming app developed by burmese developer. The app looks like a normal sports news app with an instruction to tap the logo and type the number 3 three times in Burmese in the popup textbox. Upon entering the correct numbers, list of live streaming football matches appears.

Isnt the whole point of $99 and rigorous checks, and not to mention, all the marketing and legal claims, to say that Apple&#x27;s App Store review process is foolproof and necessary for their platform?<p>Also, so funny how 9to5mac messages this. When Apple makes a misstep, it is developers &quot;tricking&quot; App Store, not Apple&#x27;s incompetence. Lets call it what it is, Apple&#x27;s review process is mostly security theater.