Feeds

back to article Two scam apps stink up iTunes store, pulled thanks to Reg reader

Apple allowed two scam apps to appear in its App Store - and the dodgy software remained on sale for five days until a Reg reader raised the alarm. The two paid-for programs, built by developer JB Solutions, do not work as advertised in the online shop, sparking a surge in negative feedback comments left by ripped-off fanbois. …

COMMENTS

This topic is closed for new posts.
Silver badge
WTF?

Oh Jeebus Apple

First Maps and now this?

The strongly curated app store is one of the advantages iOS has for ordinary consumers over the more laisse faire Android Stores (amazon maybe excepted).

Dont feck up this competitve advantage.

6
1
Silver badge

Re: Oh Jeebus Apple

Curation is BS because unless Apple invent a tool which deconstructs an app and tells you exactly what functionality it offers, there will be malware, or apps which don't do what they claim, or do more than they claim.

It would be trivial to throw an up on the store which is completely innocuous, e.g. some quote of the day app which downloads some interesting quote every day, and then 100 days down the road instead of downloading a quote of the day it downloads an instruction which puts it in nasty mode and robs your address book, or sends you off to a website where some malicious payload is lurking.

Chances are Apple wouldn't find it either until it was too late.

4
3
Silver badge

Re: Oh Jeebus Apple

[mode=bewildered]

But surely the vetting process begins with someone *loading* the app to see what it does and what it looks like? I mean, if they are not doing that, how can they make any kind of judgement at all?

8
1
Silver badge

@DrXym - Re: Oh Jeebus Apple

How do you know they don't? It's not that hard to spot an API call in an iOS binary, or they can run the app inside of an emulated environment and see what it calls.

1
2
Silver badge

Re: @DrXym - Oh Jeebus Apple

Because it's impossible.

Calling an API doesn't show malicious intent. My hypothetical quote of the day app has a legitimate reason to hit some url to fetch the quote. Maybe it also fetches a graphic too and a bit of meta data. All very innocent. I could easily craft some code which throws an exception only with the malicious content, e.g. maybe a title which is 256 characters causes an exception to throw and somewhere up the chain it redirects the user to a "report error" page url. When Apple test it, even if they sport the report error url, it all looks legit. Perhaps my app also has some legitimate reason to look in my contacts, e.g. offering me the feature to email a quote of the day to a friend, but when operating maliciously it actually steals my address book by accidentally not null terminating a character array which just happens later to be used in the report error screen. It's so easy.

Short of someone doing a line by line security audit, feeding the app with every possible input Apple will NEVER find this.

This is why curation is false security. I'm sure Apple do have scanners which look for signatures of known trojans, command and control urls, and might even give the app a cursory once over in some virtual machines with different date and time parameters and so on. But it's not hard for someone to circumvent this. Look how many phony apps already get through. Look how many apps turn out to be stealing data already. Apple didn't catch these. There's no reason to think they'd catch my hypothetical app either.

8
1

This post has been deleted by its author

Anonymous Coward

Still only

Still only a fraction of the malware found on Android.

2
4
Anonymous Coward

Ha ha ha ha ha ha ha

Sound of Fandroids laughing out loud at Apple misfortune.......

Until they get their phone bill and find their Android apps have been phoning premium rate numbers without their knowledge.....

1
4
Anonymous Coward

Re: Ha ha ha ha ha ha ha

I'm not laughing at Apple's misfortune.

I am laughing at those iPhone owners who don't know what their phone can and cannot do... NFC app? Seriously?

1
0
IT Angle

How the hell did the NFC app get through the App checking people? the phone doesnt even support it, so surely something with NFC in the title would be heavily reviewed.

I thought apple were crunching down on the amount of shit soundboards, barely functional and fake apps from people tryna get into the appstore

10
0

Seems to me

That it almost certainly wasn't labelled as an NFC app when it was reviewed, sounds like it was a radio app, ditto for the other one, which seems to be an alarm clock.

What I'm guessing happened here is that a dev submitted the dull apps, got them approved then later changed the descriptions and screenshots in the store to represent them as something else.

I don't understand why though as Apple are clearly going to get wind of this sort of thing and boot the dev from the store long before the dev receives a payment from Apple.

1
0
Alert

Re: Seems to me

Jubtatisc1 hit the nail on the head.

The problem is that while apps are initially fully reviewed, changes to descriptions aren't - this is to allow developers to quickly communicate problems or quickly promotions without waiting a week for the new description to be approved.

Maybe what's needed is a method to allow small description updates, but not allowing major rewriting of what the app does..

1
0
Anonymous Coward

"The second dodgy program, NFC for iPhone 5, cost $0.99 (£0.69) and promised to enable Near-Field Communications support - useful for making wireless payments - in the smartmobe."

So all those fannybois who dismissed NFC in competitors phones as a fad, s*ck it! Your brethern seem to think otherwise!

4
5
Anonymous Coward

disgusting complacency from apple

and the New World Order

1
2
Paris Hilton

Not surprised...

As an iOS dev I can only say that Apple's store checking procedures are a bit.. mixed? I've seen numerous examples of blatantly dodgy apps going through and scamming lots of customers. They've usually got professionally designed screenshots (usually with sexy women), poor descriptions (probably machine translated from chinese), and they're generally clones of popular apps (like Camera+ Pro instead of Camera+). The actual apps are generally nothing like the description, and crap.

I've also had my own apps rejected for the most trivial of reasons - you wouldn't believe how strict they can be when they want to be. One app was rejected for having a small icon for an apple app visible in part of a screenshot, which was considered abuse of apple's copyrighted material (yes, an icon that's included in iOS, in a screenshot for an iOS-only app for the iOS-only app store - the horror!) Clearly the reviewer was going through with a fine-toothed comb that day!

5
0
Anonymous Coward

Oh dear...

The fanboy high horse is starting to resemble a dwarf three legged donkey.

11
3
Silver badge

Why the complaints?

The Apple App police only check new apps to make sure they don't compete with Apple's own brand and software. iPhones don't support NFC so there isn't any Apple software for it, so any app that claims to offer NFC support doesn't compete, so it's allowed through. Obvious.

2
3

Oh dear ....

Oh dear .... I thought I was in danger for having cheap and nasty Android shit with apps like that. Imagine if I'd spent all that money on an iphone ......

3
2
Anonymous Coward

"It's not clear whether the phony apps pose a security risk, but it is clear users ended up paying out for software completely unlike what was expected."

inb4

"It's not clear whether the phones pose a security risk, but it is clear users ended up paying out for hardware completely unlike what was expected."

0
1
Angel

Learn from Google Play?

What they need is some sort of trial system, where you can cancel the purchase within 15 minutes of download. I have made use of this multiple times on the google store.

7
0
Unhappy

Why...

Do they allow users to report dodgy feedback but they don't provide a Report App button?

It would be so easy to add to the App store and make reporting of dodgy Apps so much easier!

3
4
Holmes

Because....

They don't give a shit

6
5
Anonymous Coward

Re: Why...

There is a "Report a problem" link for each purchase, both on iTunes and on the receipt e-mail.

1
0

This post has been deleted by a moderator

This post has been deleted by its author

Silver badge

Jeopardy: Downs syndrome edition.

Actually, never mind that, what the fuck is "Jeopardy: Downs syndrome edition." supposed to mean?

3
1
Anonymous Coward

Ha, ha.

<irony>

Only 146 of the 28398 items of Android malware came from the Google play store, so who's laughing now.

</irony>

http://thenextweb.com/google/2012/11/13/android-malware-surged-in-q3-sure-but-only-0-5-came-from-google-play/

1
0
xyz
Devil

At least the Cuperbois replied to El Reg for once!

That in itself is something of a miracle...must be near Xmas. I had a feeling the AppStore(tm) guardians were to cool to work.

0
0

JB Solutions

Hmmm...that dev wouldn't be 'JB Solutions' as in 'Jelly Bean Solutions' now would it?! An Android fanboi's way of taking a swipe at 2 glaring omissions from the best phone OS in the world, brought to you by the patented shape 'rectangle'. I have no idea what you mean - I'm completely impartial.

0
0
Anonymous Coward

kekekeke...

Do Apple loving sheep really have the right to complain about losing (or in this case, wasting) money?

1
3
Go

You can easily contact Apple and complain about dodgy app that don't do what they say, I've done it for a few a few apps and always been refunded the very same day, no questions asked.

2
1
Silver badge
Trollface

Shocked and Stunned...

... that Apple even gave a reply (even if it was only "thanks for bring it to our attention")

0
0
Joke

Never mind this. There's an app on my wife's iPad pretending to be a map application

5
0

Awww... and I was wondering if the NFC app allowed you to input your own radio stream presets ;)

0
0
Silver badge
Joke

Wait, wait, wait, hold up a second here...

"They were eventually pulled last night after we contacted the fruity firm."

You mean apple is taking calls from el reg now?

0
0
Gimp

>You can easily contact Apple and complain about dodgy app that don't do what they say, I've done it for a few a few apps and always been refunded the very same day, no questions asked.<

You're lying (no offence), when I got an app that didn't do what it said, a process killer, it took about a week of emails back and forth to Apple before they refunded me. Also, in the terms and conditions, you have no right to ask for a refund on apps you don't like, and very few people do get refunds, though many people complain, which you can check out in the apple forums. Some complaints even mention not getting responses back from Apple.

0
0
Happy

that must have stung Apple to be informed of something by El Reg...

... and to have to respond as well.

0
0
This topic is closed for new posts.