I might be forgetting or unaware of previous similar situations, but I can’t recall anything like this before, where an app riddled with outrageous security/privacy vulnerabilities remains virally popular. A Hacker News thread from earlier today debates why the app is even still available on the App Store.

So is it Apple’s place to yank the app? It feels wrong to me that Apple should completely remove Tea from the App Store, but it’s also true that one of Apple’s fundamental pitches for the App Store — and the App Store’s exclusivity for app distribution in most of the world — is that iOS users can trust any and all apps in the App Store because they’re vetted by Apple. But here’s Tea, sitting at #3, providing a service that many woman want, and the entire thing is shockingly untrustworthy. (I fully expect more vulnerabilities to be found and exploited.)

[…]

I strongly suspect that while Google hasn’t removed Tea from the Play Store, that they’ve delisted it from discovery other than by searching for it by name or following a direct link to its listing. That both jibes with what I’m seeing on the Play Store top lists, and strikes me as a thoughtful balance between the responsibilities of an app store provider.

Protecting user privacy is paramount in the Apple ecosystem, and you should use care when handling personal data to ensure you’ve complied with privacy best practices, applicable laws, and the terms of the Apple Developer Program License Agreement, not to mention customer expectations.

[…]

All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner.

[…]

Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user’s data.

We retain personal information we collect from You where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements). When we have no ongoing legitimate business need to process personal information, we will either delete or anonymize it or, if this is not possible (for example, because personal information has been stored in backup archives), then we will securely store personal information and isolate it from any further processing until deletion is possible.

Your data privacy is of the utmost importance to us. We are taking all necessary measures to strengthen our security posture and ensure that no further data is exposed.

[…]

This data was originally archived in compliance with law enforcement requirements related to cyber-bullying prevention. At this time, we have no evidence to suggest that photos can be linked to specific users within the app.

Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the Downloads folder, as well as caches utilized by Apple Intelligence. While similar to prior TCC bypasses like HM-Surf and powerdir, the implications of this vulnerability, which we refer to as “Sploitlight” for its use of Spotlight plugins, are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence, such as precise geolocation data, photo and video metadata, face and person recognition data, search history and user preferences, and more. These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account.

[…]

On modern macOS systems, Spotlight plugins are not even permitted to read or write any file other than the one being scanned. However, we have concluded that this is insufficient, as there are multiple ways for attackers to exfiltrate the file’s contents.

[…]

Change the bundle’s Info.plist and schema.xml files to declare the file types they wish to leak in UTI form. Since we assume an attacker runs locally, this is always possible to resolve, even for dynamic types.

Copy the bundle into ~/Library/Spotlight directory. Note the bundle does not need to be signed at all.

In recent years, Microsoft security researchers have found multiple other severe macOS vulnerabilities, including a SIP bypass dubbed ‘Shrootless’ (CVE-2021-30892), reported in 2021, which enables attackers to install rootkits on compromised Macs.

More recently, they discovered a SIP bypass dubbed ‘Migraine’ (CVE-2023-32369) and a security flaw named Achilles(CVE-2022-42821), which can be exploited to install malware using untrusted apps that bypass Gatekeeper execution restrictions.

Last year, they reported another SIP bypass flaw (CVE-2024-44243) that lets threat actors deploy malicious kernel drivers by loading third-party kernel extensions.

Apple failed to fix this so many times. I first reported this back in macOS Big Sur, and it’s literally detailed in my EXP-312 course in “Bypass TCC via Spotlight Importer Plugins”

Then I reported it again and was fixed as CVE-2024-54533.

Looks like it still wasn’t fixed properly.