Archive for February 21, 2023

Tuesday, February 21, 2023

Scam Authenticator App Steals QR Codes

Ben Lovejoy:

Twitter’s latest bonehead move has led to a flurry of scam authenticator apps, with at least one of them using App Store advertising to figure prominently in search results – and then sending all scanned QR codes to the developer’s analytics service.


Developer and security researcher Mysk quickly spotted a whole bunch of suspiciously-similar apps, all of which demand an in-app subscription purchase in order to scan QR codes.


At least one of these tries to force you to subscribe even if you tap the close box.

Not only were a dozen of these apps approved by App Review, but they’re also promoted by App Store search ads. The point is not that Apple should have caught this but that, in general, they can’t, so they should not be claiming to keep you safe. Apple’s ads and store and illusion of safety make it more likely for people to get themselves into trouble vs. somehow discovering and trusting an unknown authenticator app on a random Web site.

Via Jeff Johnson, whose app was recently rejected:

This screenshot wasn’t taken by App Store review though; it’s one of my own App Store screenshots! In fact it’s not even a new screenshot, as you can see from the date “Sat Oct 2”, but just an old screenshot carried forward from an earlier version of StopTheScript (in the App Store since October 2021). As I said, nothing changed in the new version except the launch screen.


App Store Review should know how to use Safari extensions, and understand the Safari permissions system, since they review Safari extensions, right?


Update (2023-02-23): Mysk:

One of the sketchy authenticator apps

Website: A Google Docs form
Privacy policy: A Google Docs page
Ratings: 4.9/5

App Review team: Spotify’s new audiobooks offering breaks the rules governing how developers may communicate with customers


These two scam authenticator apps are very similar. Their binaries clearly show that they’re clones. It’s funny that their support links redirect to the same Google Docs form 🤦‍♂️. They’re published by two different registered businesses. Both apps are now removed ✌️

Update (2023-02-27): Mysk:

Many iPhone users are asking us to recommend safe authenticator apps. Well, the App Store is making it useless to recommend any app. No matter what you search for, the top hit is almost always an ad for a scam app.

Paul Ducklin:

When we tried searching on the App Store, for example, our top hit was an app with a description that bordered on the illiterate (we’re hoping that this level of unprofessionalism would put at least some people off right away), created by a company using the name of a well-known Chinese mobile phone brand.

Given the apparent poor quality of the app (though it had nevertheless made it into the App Store, don’t forget), our first thought was that we were looking at out-and-out company name infringement.

We were surprised that the presumed imposters had been able to acquire an Apple code signing certificate in a name we didn’t think they had the right to use.

We had to read the company name twice before we realised that one letter had been swapped for a lookalike character, and we were dealing with good old “typosquatting”, or what a lawyer might call passing off – deliberately picking a name that doesn’t literally match but is visually similar enough to mislead you at a glance.

Fines As a Security System

Chris Hulls:

What happened is that the thief who took Lyndsey’s bike got an alert that proactively told her an AirTag was following her location. And, after Apple’s most recent firmware update (December 2022), the thief could even use the precision finding feature to find the exact location — down to the inch — where the tag was hidden.

This feature was designed solely to prevent stalking so that victims of stalkers could identify if an unknown AirTag was following them. So there is no anti-theft feature built into AirTags, and the anti-stalking feature could worsen the already increasing theft issue.

Juli Clover (Hacker News):

AirTag competitor Tile today announced a new Anti-Theft Mode for Tile tracking devices, which is designed to make Tile accessories undetectable by the anti-stalking Scan and Secure feature.


To prevent stalking with Anti-Theft Mode, Tile says that customers must register using multi-factor identification and agree to stringent usage terms, which include a $1 million fine if the device ends up being used to track a person without their consent.

Bruce Schneier:

Interesting theory. But it won’t work against attackers who don’t have any money.


My complaint about the technical solutions is that they only work for users of the system. Tile security requires an “in-app feature.” Apple’s AirTag “notifies iPhone users.” What we need is a common standard that is implemented on all smartphones, so that people who don’t use the trackers can be alerted if they are being surveilled by one of them.

Chris Hulls:

Life360/Tile CEO. I came up with this idea, not our lawyers, as they would be the first to say it is unclear how enforceable this is. But what IS clear, is that based on our new TOS, and because this is opt-in, we definitely could take a flyer in court, and who knows?

Do you want us to unleash millions of dollars of lawyers on you? I don’t think many people will want to find out. I genuinely believe this plus a ID scanning will be a huge deterrent. Stalkers will go buy $30 real time stealth GPS trackers on Amazon instead.


Fake Uber Eats Delivery From Apple Store

Joe Rossignol:

The latest cautionary tale was shared this week by a Reddit user in California, who claimed that the iPhone 14 Pro Max and Apple Watch Ultra they ordered through Apple’s online store with same-day delivery was falsely marked as delivered by the Uber Eats driver assigned to deliver the order. The customer contacted Apple’s customer service team, but claimed that Apple ultimately declined to offer a refund for the $2,098 purchase, despite the customer having video evidence of waiting outside for the delivery at the address provided.


The customer said they were informed by Apple that “our carrier has completed the requested investigation, and no further action will be taken by Apple.”


The underlying issue appears to be that Apple and its courier partners like Uber have inadequate measures in place to prove that an order was actually delivered, leaving the burden of proof on the customer in incidents where theft may have occurred.


In an update to their Reddit post today, the customer from California claims that a member of Apple’s leadership team contacted them and agreed to issue a full refund for the cost of the items.

Going to the press…


Google Gives Apple a Cut of Chrome iOS Search Revenue

We’ve known that Google pays Apple billions for Google searches from Safari, but I had missed that Google is also paying for searches made through Chrome.

Bloomberg (in 2020, via Chance Miller):

Apple also gets a slice of revenue from searches made through some of Google’s own apps, such as Chrome, installed on iPhones, iPads, and Macs[…]

Thomas Claburn:

This is one of the aspects of the relationship between the two tech goliaths that currently concerns the UK’s Competition and Markets Authority (CMA).


The British competition watchdog is worried that Google’s payments to Apple discourage the iPhone maker from competing with Google. Substantial payments for doing nothing incentivize more of the same, it’s argued.

This perhaps explains why Apple, though hugely profitable, has not launched a rival search engine or invested in the development of its Safari browser to the point that it could become a credible challenger to Chrome.

See also: MacRumors and Hacker News.


Web Push for Web Apps on iOS and iPadOS

Brady Eidson and Jen Simmons (Hacker News):

Today also brings the first beta of Safari 16.4. It’s a huge release, packed with over 135 features in WebKit — including RegExp lookbehind assertions, Import Maps, OffscreenCanvas, Media Queries Range Syntax, @property, font-size-adjust, Declarative Shadow DOM, and much more.


Now with iOS and iPadOS 16.4 beta 1, we are adding support for Web Push to Home Screen web apps. Web Push makes it possible for web developers to send push notifications to their users through the use of Push API, Notifications API, and Service Workers all working together.

A web app that has been added to the Home Screen can request permission to receive push notifications as long as that request is in response to direct user interaction — such as tapping on a ‘subscribe’ button provided by the web app. iOS or iPadOS will then prompt the user to give the web app permission to send notifications. Once allowed, the user can manage those permissions per web app in Notifications Settings — just like any other app on iPhone and iPad.


In iOS and iPadOS 16.4 beta 1, third-party browsers can now offer their users the ability to add websites and web apps to the Home Screen from the Share menu.

John Gruber:

Push notifications are foremost, but a lot of longstanding feature requests for web apps are being added with this release. […] It’s impossible to say whether increased regulatory scrutiny has changed Apple’s priorities regarding iOS’s support for web apps, but it sure seems like a factor.

Jack Wellborn:

While I no longer think embracing PWAs might ease regulatory pressure, my take that Apple should embrace PWAs as a way to control the experience is aging quite nicely.


Update (2024-05-03): Brian Lovin:

You can spend all the time you want building a PWA, but at the end of the day, push notifications will just randomly stop delivering until the app is re-opened.

Apple went halfway.