The App Store was tricked into approving malicious apps

The App Store's censorship process is considered many times more difficult than Google's Play Store.

But last month, 9to5mac discovered the Collect Cards: Store box app has existed on the Apple Store for more than a year with screenshots of a simple interface, showing it to be photo and video management software.

When you download the Collect Cards: Store box, the app turns into a pirated streaming platform, with content from Netflix, Disney+, Amazon Prime Video, HBO Max, and even Apple TV+. Although it has existed for a long time on the Apple Store, this pirated application was only discovered when it reached the top 2 most downloaded free applications on the App Store in Brazil.

The App Store was tricked into approving malicious apps Picture 1

9to5mac's experts, after analyzing the source code of Collect Cards: Store box and a number of similar applications on the App Store, realized that most of them share the same code base even when distributed by different accounts. by different developers. These pirated apps are built on React Native, a cross-platform system based on java script and using Microsoft's CodePush SDK, so developers can update parts of the app without having to submit a new build to Microsoft. App Store.

According to App Store regulations, using React Native and CodePush does not violate the rules. Many popular apps are doing the same. However, this technology has been exploited by "malicious" developers to bypass the App Store's review process.

Once Apple approves an app with basic functionality, developers will use CodePush to update whatever they want, and the app will run its actual functionality in "secure" locations.

Currently, Apple has removed the related applications and declined to comment.

Isabella Humphrey

Update 06 August 2024