An iOS app rating flaw lets developers create apps that cannot be opened until the user gives it a five-star review.
It’s the latest discovery by FlickType developer Kosta Eleftheriou, whose Twitter bio now describes him as “Professional AppStore critic.” Eleftheriou has indeed made a name for himself identifying high-profile scam apps that made it through app review, some of which have made millions of dollars for their developers …
He has even gone as far as filing a lawsuit against Apple, accusing the company of breaching its contract with developers by failing to properly police the store.
Eleftheriou spotted the latest flaw being exploited by the UPNP Xtreme app, posting a video demo to Twitter. As soon as you open the app, Apple’s review pop-up is triggered. However, the “Not now” button that would normally allow a user to dismiss the dialog appears non-functional (I assume it is simply relaunching the pop-up).
Not only that, but attempting to give the app anything less than five stars also prevents the user from dismissing the dialog. Only giving it a five-star review allows the app to be opened.
As with some of the earlier scam apps found by Eleftheriou, this is not an obscure one sitting in a dusty corner of the App Store.
This developer has more than 15M downloads and $MILLIONS in revenue.
Nor is the review pop-up a fake one, or dependent on some clever workaround.
This is the iOS system rating prompt, not a custom look-alike one.
The worst part? This trick is EXTREMELY easy for any developer to do, and not limited to this app.
Eleftheriou has previously pointed to the ease with which developers can buy fake reviews and ratings, but with this approach, a developer wouldn’t even need to pay for them.
A key element in Apple’s defense in the Epic Games case has been that its app review process keeps scam apps out of the store. Eleftheriou has persistently argued that this isn’t the case.
Apple also says they conduct a “robust” review process – yet this fraud takes place immediately upon launching the app. Even an automated check would have caught this! But with no competing app stores on iOS, Apple doesn’t care enough to improve their ways
Apple would of course respond by saying that far more scam apps would make it into the App Store without the review process, recently noting that it stopped more than $1.5B in potentially fraudulent transactions last year. All the same, it’s certainly not a good look when an app like this can pass review.
Update: Some are questioning how Eleftheriou can be certain it’s the native dialog, and he has replied. We’ve also been able to verify it for ourselves.
The brilliant folks at @CorelliumHQ have an amazing product for doing iOS security research, but Apple doesn’t want you to know that.
You should all check it out. https://t.co/dAc7kwSq0b
— Kosta Eleftheriou (@keleftheriou) May 26, 2021
Guilherme Rambo discovered why it only works on some screen sizes.
It looks like the app is using the native review dialog, then observing windowDidBecomeVisible: for the container window that’s rendered in-process, and putting something on top of that to prevent interactions other than five-star reviews. pic.twitter.com/wV3SMXehLu
— Guilherme Rambo (@_inside) May 26, 2021
FTC: We use income earning auto affiliate links. More.
Source by 9to5mac.com