Provide the necessary information to let the purchaser make the decision. If an app includes Chinese code, APIs or whatever, the developer should simply say so. Then users concerned about potential privacy risk can avoid these apps.
Conversely, apps might be badged in the App Store as "Coded in the US" or "Coded in the UK", and so on.
Like food labelling, consumers should be able to see what they are buying and be able to make decisions accordingly.
False narrative; I didn't mention Google. This isn't limited to the tech field either.
you didnt need to mention google and my point should be obvious -- when apple adds services, it's concerning (are you concerned?). when google adds services, it's normal value add.
It doesn't matter about other stores. What matters is that Apple's security procedures are both taking a public image hit and in some cases are showing themselves to be inadequate.
Other stores put the amount & origin of offensive apps into context -- That's Why.
"Apple's AppStore is unsafe!" Precisely the issue I have with this sort of article being spread. As noted this is TINY percentage of millions of apps. Could be ONLY Chinese AppStore. It's essentially an anti-Apple story. So THAT'S WHY I object to the lack of context.
Other stores put the amount & origin of offensive apps into context -- That's Why.
"Apple's AppStore is unsafe!" Precisely the issue I have with this sort of article being spread. As noted this is .002% of 1.7 BILLION Apps. Could be ONLY Chinese AppStore. It's essentially an anti-Apple story. So THAT'S WHY I object to the lack of context.
I think you probably meant 1.7 MILLION apps and not billion.
This will never stop until Apple starts compiling the apps themselves and stops accepting binary executables.
Malware can be hidden in an app simply by delaying activation until a future date. You submit your app and give a couple weeks for it to be reviewed then the malware activates by itself later.
I'm sure there are much more sophisticated methods also.
Other stores put the amount & origin of offensive apps into context -- That's Why.
"Apple's AppStore is unsafe!" Precisely the issue I have with this sort of article being spread. As noted this is TINY percentage of millions of apps. Could be ONLY Chinese AppStore. It's essentially an anti-Apple story. So THAT'S WHY I object to the lack of context.
The experts think that this particular hidden reaper might be just one of several private API's that developers sneak thru the App Store.
Another report inspected a random set of "2019 applications from the official App Store" About 7% of those used some combination of 150 different private API's including "25 security-critical APIs that access sensitive user information, such as device serial number."
Agree that it's a relative drop of water in a bucket. IMHO the takeaway should be at least a tiny bit of care should be used before any of us add an app to our devices instead of blindly installing stuff willy-nilly. Of course none of the official app stores are malware-infested swamps but keeping bad players completely out isn't feasible, and curation/sand-boxing goes only so far.
"...Apple needs to ban those countries...". Good luck with Apple banning China, given the extent to which they rely on Chinese tech. to build their hardware. This is only a high-profile story because blaming "China" if fashionable and always whips up tub-thumping support while deflecting attention away from possible problems with Apple's vaunted app scrutiny. If it happened in the US, those apps would simply have been quietly revoked and nothing said.
Provide the necessary information to let the purchaser make the decision. If an app includes Chinese code, APIs or whatever, the developer should simply say so. Then users concerned about potential privacy risk can avoid these apps.
Conversely, apps might be badged in the App Store as "Coded in the US" or "Coded in the UK", and so on.
Like food labelling, consumers should be able to see what they are buying and be able to make decisions accordingly.
The App Store's model is to take care of these issues for the customer, rather than pass the buck to the customers.
It's time for devs to stop trusting Chinese code..
I don't care if this is seen as racist but I specifically do not download apps from Chinese developers, Only Asian developers I would trust are Japanese. Beyond that I first check to see if the Dev even has a web presence, are they reputable, what other apps have they created.
I realise this kind of behaviour is well beyond most iOS owners but seriously... would you trust the names of some of the developers and some of the types of apps on the AppStore, as for Chinese.. ha, if you trust them then they no longer even feel responsible for stealing from you, that's their business ethos 101.
Is it really that hard to check what data is being collected by an app? I'd envision a test setup where the app runs on a simulated iPhone which monitors any access to phone data and triggers upon any funny stuff. Then you lets that simulator run for some time and add typical user interaction, or some subset of the state-space. Hm. Maybe too conplex? Alternatively, don't allow acces to such data unless it's going through approved APIs.
I agree that one major, and maybe most significant advantage and differentiating criteria is that you could trust blindly any app from their store. Not more than other competitors stores, not 98%. 100%. That's what built the Eco system.
In this case Apple should have been able to spot it. From the blog post by the company that found the issue, some of the private method names that were being called were just static strings in the binary. How did Apple not spot the method names of their private APIs when they were just there as plaintext strings? They simply must not have been looking for it.
The blog post also said some of the method names were obfuscated and not decoded until runtime, but even then Apple should be able to link against a special version of objc_msgSend as part of testing, and see what the ultimate method names being called were, and recognize any of their private ones.
And as someone said above, quite apart from any App Store scanning or lack thereof, why did the App Sandbox let these calls through at runtime? When an app is launched, can't a check be done to see if it is authored by Apple, and a flag set, and each of these private APIs check the flag and exit() if an app other than an Apple one is trying to use a private API? How many CPU cycles does a boolean check take?
Where is the list of affected APPs. Can't find it anywhere on the Internet. Why cover it up and keep the info in the dark. If Apple had our best interest in mind the list would be public knowledge.
Comments
So, like .002% (256), apps out of 1.7 billion apps .. makes headlines..
a
freaking
amazing.
And Apple already removed the apps.
1.7 billion huh? You're off by about, oh, 1.56 billion.
Why isn't iOS sandboxing preventing this crap to begin with?
Provide the necessary information to let the purchaser make the decision. If an app includes Chinese code, APIs or whatever, the developer should simply say so. Then users concerned about potential privacy risk can avoid these apps.
Conversely, apps might be badged in the App Store as "Coded in the US" or "Coded in the UK", and so on.
Like food labelling, consumers should be able to see what they are buying and be able to make decisions accordingly.
you didnt need to mention google and my point should be obvious -- when apple adds services, it's concerning (are you concerned?). when google adds services, it's normal value add.
It doesn't matter about other stores. What matters is that Apple's security procedures are both taking a public image hit and in some cases are showing themselves to be inadequate.
Other stores put the amount & origin of offensive apps into context -- That's Why.
"Apple's AppStore is unsafe!" Precisely the issue I have with this sort of article being spread. As noted this is TINY percentage of millions of apps. Could be ONLY Chinese AppStore. It's essentially an anti-Apple story. So THAT'S WHY I object to the lack of context.
http://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/
This will never stop until Apple starts compiling the apps themselves and stops accepting binary executables.
Malware can be hidden in an app simply by delaying activation until a future date. You submit your app and give a couple weeks for it to be reviewed then the malware activates by itself later.
I'm sure there are much more sophisticated methods also.
Another report inspected a random set of "2019 applications from the official App Store" About 7% of those used some combination of 150 different private API's including "25 security-critical APIs that access sensitive user information, such as device serial number."
Agree that it's a relative drop of water in a bucket. IMHO the takeaway should be at least a tiny bit of care should be used before any of us add an app to our devices instead of blindly installing stuff willy-nilly. Of course none of the official app stores are malware-infested swamps but keeping bad players completely out isn't feasible, and curation/sand-boxing goes only so far.
EDIT: adding link
http://dl.acm.org/citation.cfm?id=2813675
This is only a high-profile story because blaming "China" if fashionable and always whips up tub-thumping support while deflecting attention away from possible problems with Apple's vaunted app scrutiny. If it happened in the US, those apps would simply have been quietly revoked and nothing said.
1.7 billion huh? You're off by about, oh, 1.56 billion.
You're off by about 138 million.
The App Store's model is to take care of these issues for the customer, rather than pass the buck to the customers.
I don't care if this is seen as racist but I specifically do not download apps from Chinese developers, Only Asian developers I would trust are Japanese. Beyond that I first check to see if the Dev even has a web presence, are they reputable, what other apps have they created.
I realise this kind of behaviour is well beyond most iOS owners but seriously... would you trust the names of some of the developers and some of the types of apps on the AppStore, as for Chinese.. ha, if you trust them then they no longer even feel responsible for stealing from you, that's their business ethos 101.
Alternatively, don't allow acces to such data unless it's going through approved APIs.
I agree that one major, and maybe most significant advantage and differentiating criteria is that you could trust blindly any app from their store. Not more than other competitors stores, not 98%. 100%. That's what built the Eco system.
In this case Apple should have been able to spot it. From the blog post by the company that found the issue, some of the private method names that were being called were just static strings in the binary. How did Apple not spot the method names of their private APIs when they were just there as plaintext strings? They simply must not have been looking for it.
The blog post also said some of the method names were obfuscated and not decoded until runtime, but even then Apple should be able to link against a special version of objc_msgSend as part of testing, and see what the ultimate method names being called were, and recognize any of their private ones.
And as someone said above, quite apart from any App Store scanning or lack thereof, why did the App Sandbox let these calls through at runtime? When an app is launched, can't a check be done to see if it is authored by Apple, and a flag set, and each of these private APIs check the flag and exit() if an app other than an Apple one is trying to use a private API? How many CPU cycles does a boolean check take?
Where is the list of affected APPs. Can't find it anywhere on the Internet. Why cover it up and keep the info in the dark. If Apple had our best interest in mind the list would be public knowledge.
So, like .002% (256), apps out of 1.7 billion apps .. makes headlines..
a
freaking
amazing.
And Apple already removed the apps.
Yea, when I saw 1 million downloads total I was surprised it was so few. That is very few downloads per app as well.