Collect Cards Bypassing App Review via CodePush
A peculiar app called “Collect Cards: Store box” has been available on the App Store for over a year. The App Store description doesn’t say much about it, while the screenshots show a simple interface with what appears to be an app for managing photos and videos.
But in reality, when users download the app, it turns into a pirate streaming platform, with content from Netflix, Disney+, Amazon Prime Video, HBO Max, and even Apple TV+.
Although this app has gone unnoticed all this time, it recently reached the top #2 of the most downloaded free apps in the App Store in Brazil.
Following the publication of our article, Apple removed the app. However, it seems that the developers have once again tricked the company into approving not just one, but multiple pirate streaming apps on the App Store.
Filipe Espósito (via Hacker News):
In our original report, we explained that these apps use geofence to prevent anyone at Apple from seeing what the app is actually capable of. But by analyzing the code of these apps, we now have a better idea of how this happens.
As we guessed, these apps share the same code base – even if they are distributed by different developer accounts. They’re built on React Native, a cross-platform framework based on JavaScript, and use Microsoft’s CodePush SDK which allows developers to update parts of the app without having to send a new build to the App Store.
[…]
After Apple approves the app with its basic functionalities, developers use CodePush to update it with anything they want. The app then reveals its true interface in “safe” locations.
200+ apps per reviewer per 40h. So basically 5-10min apiece. Most of the 100K are crap or worse.
Why does Apple allow those fake games on the App Store?
It’s infuriating and gives Apple a really bad look.
Previously:
- Swapping App Data After Review
- The Top PDF Reader in the Mac App Store
- Most Fraudulent Apps Still on the App Store
- IAP Bait-And-Switch Apps
- The App Store Isn’t Catching the Most Egregious Scams
- Post-Approval App Review
- Uber Used Private API to Access iPhone Serial Number
1 Comment RSS · Twitter · Mastodon
>It’s infuriating and gives Apple a really bad look.
Good.
Allow sideloading!