3rd-party ad APIs from China illegally collected data from hundreds of App Store titles

2

Comments

  • Reply 21 of 45
    Our corporate philosophy: "Mi" take advantage of "You."
  • Reply 22 of 45
    Quote:

    Originally Posted by Adrayven View Post



    So, like .002% (256), apps out of 1.7 billion apps .. makes headlines..



    a



    freaking



    amazing.



    And Apple already removed the apps.



    1.7 billion huh? You're off by about, oh, 1.56 billion.

  • Reply 23 of 45
    cpsrocpsro Posts: 3,226member

    Why isn't iOS sandboxing preventing this crap to begin with?

  • Reply 24 of 45
    You have both the NSA and GCHQ breathing down your necks and you worry about a few e-mail addresses being nicked?
  • Reply 25 of 45

    Provide the necessary information to let the purchaser make the decision. If an app includes Chinese code, APIs or whatever, the developer should simply say so. Then users concerned about potential privacy risk can avoid these apps.

    Conversely, apps might be badged in the App Store as "Coded in the US" or "Coded in the UK", and so on.

    Like food labelling, consumers should be able to see what they are buying and be able to make decisions accordingly.

  • Reply 26 of 45
    nolamacguynolamacguy Posts: 4,758member

    False narrative; I didn't mention Google. This isn't limited to the tech field either.

    you didnt need to mention google and my point should be obvious -- when apple adds services, it's concerning (are you concerned?). when google adds services, it's normal value add.
  • Reply 27 of 45
    h2ph2p Posts: 335member
    Quote:
    Originally Posted by TheWhiteFalcon View Post

    It doesn't matter about other stores. What matters is that Apple's security procedures are both taking a public image hit and in some cases are showing themselves to be inadequate.

    Other stores put the amount & origin of offensive apps into context -- That's Why.

     

    "Apple's AppStore is unsafe!" Precisely the issue I have with this sort of article being spread. As noted this is TINY percentage of millions of apps. Could be ONLY Chinese AppStore. It's essentially an anti-Apple story. So THAT'S WHY I object to the lack of context.

  • Reply 28 of 45
    gatorguygatorguy Posts: 24,609member
    h2p wrote: »
    Other stores put the amount & origin of offensive apps into context -- That's Why.

    "Apple's AppStore is unsafe!" Precisely the issue I have with this sort of article being spread. As noted this is .002% of 1.7 BILLION Apps. Could be ONLY Chinese AppStore. It's essentially an anti-Apple story. So THAT'S WHY I object to the lack of context.
    I think you probably meant 1.7 MILLION apps and not billion.

    http://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/
  • Reply 29 of 45
    mstonemstone Posts: 11,510member

    This will never stop until Apple starts compiling the apps themselves and stops accepting binary executables.

     

    Malware can be hidden in an app simply by delaying activation until a future date. You submit your app and give a couple weeks for it to be reviewed then the malware activates by itself later.

     

    I'm sure there are much more sophisticated methods also.

  • Reply 30 of 45
    fallenjtfallenjt Posts: 4,056member
    Hmmm ...the Chinese...no surprise!
  • Reply 31 of 45
    gatorguygatorguy Posts: 24,609member
    h2p wrote: »
    Other stores put the amount & origin of offensive apps into context -- That's Why.

    "Apple's AppStore is unsafe!" Precisely the issue I have with this sort of article being spread. As noted this is TINY percentage of millions of apps. Could be ONLY Chinese AppStore. It's essentially an anti-Apple story. So THAT'S WHY I object to the lack of context.
    The experts think that this particular hidden reaper might be just one of several private API's that developers sneak thru the App Store.

    Another report inspected a random set of "2019 applications from the official App Store" About 7% of those used some combination of 150 different private API's including "25 security-critical APIs that access sensitive user information, such as device serial number."

    Agree that it's a relative drop of water in a bucket. IMHO the takeaway should be at least a tiny bit of care should be used before any of us add an app to our devices instead of blindly installing stuff willy-nilly. Of course none of the official app stores are malware-infested swamps but keeping bad players completely out isn't feasible, and curation/sand-boxing goes only so far.

    EDIT: adding link
    http://dl.acm.org/citation.cfm?id=2813675
  • Reply 32 of 45
    "...Apple needs to ban those countries...". Good luck with Apple banning China, given the extent to which they rely on Chinese tech. to build their hardware.
    This is only a high-profile story because blaming "China" if fashionable and always whips up tub-thumping support while deflecting attention away from possible problems with Apple's vaunted app scrutiny. If it happened in the US, those apps would simply have been quietly revoked and nothing said.
  • Reply 33 of 45
    crowleycrowley Posts: 10,453member
    Quote:

    Originally Posted by TheWhiteFalcon View Post

     



    1.7 billion huh? You're off by about, oh, 1.56 billion.


    You're off by about 138 million.

  • Reply 34 of 45
    palegolaspalegolas Posts: 1,361member
    Why do they keep doing stuff this?
  • Reply 35 of 45
    asterion wrote: »
    Provide the necessary information to let the purchaser make the decision. If an app includes Chinese code, APIs or whatever, the developer should simply say so. Then users concerned about potential privacy risk can avoid these apps.
    Conversely, apps might be badged in the App Store as "Coded in the US" or "Coded in the UK", and so on.
    Like food labelling, consumers should be able to see what they are buying and be able to make decisions accordingly.

    The App Store's model is to take care of these issues for the customer, rather than pass the buck to the customers.
  • Reply 36 of 45
    It's time for devs to stop trusting Chinese code..

    I don't care if this is seen as racist but I specifically do not download apps from Chinese developers, Only Asian developers I would trust are Japanese. Beyond that I first check to see if the Dev even has a web presence, are they reputable, what other apps have they created.

    I realise this kind of behaviour is well beyond most iOS owners but seriously... would you trust the names of some of the developers and some of the types of apps on the AppStore, as for Chinese.. ha, if you trust them then they no longer even feel responsible for stealing from you, that's their business ethos 101.
  • Reply 37 of 45
    Is it really that hard to check what data is being collected by an app? I'd envision a test setup where the app runs on a simulated iPhone which monitors any access to phone data and triggers upon any funny stuff. Then you lets that simulator run for some time and add typical user interaction, or some subset of the state-space. Hm. Maybe too conplex?
    Alternatively, don't allow acces to such data unless it's going through approved APIs.

    I agree that one major, and maybe most significant advantage and differentiating criteria is that you could trust blindly any app from their store. Not more than other competitors stores, not 98%. 100%. That's what built the Eco system.
  • Reply 38 of 45
    asciiascii Posts: 5,936member

    In this case Apple should have been able to spot it. From the blog post by the company that found the issue, some of the private method names that were being called were just static strings in the binary. How did Apple not spot the method names of their private APIs when they were just there as plaintext strings? They simply must not have been looking for it.

     

    The blog post also said some of the method names were obfuscated and not decoded until runtime, but even then Apple should be able to link against a special version of objc_msgSend as part of testing, and see what the ultimate method names being called were, and recognize any of their private ones. 

     

    And as someone said above, quite apart from any App Store scanning or lack thereof, why did the App Sandbox let these calls through at runtime? When an app is launched, can't a check be done to see if it is authored by Apple, and a flag set, and each of these private APIs check the flag and exit() if an app other than an Apple one is trying to use a private API? How many CPU cycles does a boolean check take?

  • Reply 39 of 45

    Where is the list of affected APPs. Can't find it anywhere on the Internet. Why cover it up and keep the info in the dark. If Apple had our best interest in mind the list would be public knowledge.

  • Reply 40 of 45
    Quote:

    Originally Posted by Adrayven View Post



    So, like .002% (256), apps out of 1.7 billion apps .. makes headlines..



    a



    freaking



    amazing.



    And Apple already removed the apps.



    Yea, when I saw 1 million downloads total I was surprised it was so few.    That is very few downloads per app as well. 

Sign In or Register to comment.