A new analysis from the Washington Post reveals just how widespread fraud is across the Apple App Store, while also offering glimpse into the revenue flowing into Cupertino generated by those malicious activities.
Malicious apps make up 2% of top grossing apps in Apple App Store.
The Apple App Store has been under heightened scrutiny for maintaining its grip on the apps available to iOS users. CEO Tim Cook says the company’s monopoly on app access is necessary to maintain certain standards for safety & effectiveness.
But the data from The Post suggests otherwise, showing that out of all of the top-1,000 grossing apps, almost 2% are scams. Notably, these apps have billed Apple customers $48m while they have been available in the store, & Apple gets a 30% cut of every transaction.
Once alerted to 18 fraud apps in the Store found by The Post, two-thirds were taken down, according to the report.
The Post gathered up the top-1,000 grossing apps for the day reported by Apple in order to conduct the analysis, drawing a dramatic contrast between the company’s public statements & its own data. It found an assortment of scam apps covering everything from fake VPN service to fraud dating apps & more.
Fleecewear apps (which charge exorbitant subscription fees after a free trial period) & fake reviews to drive up the ratings of fraudulent apps were also prevalent, according to the report.
“We hold developers to high standards to keep the App Store a safe& trusted place for customers to download software, & we will always take action against apps that pose a harm to users,” Fred Sainz, a spokesperson for Apple, explained in a media statement.
“Apple leads the industry with practices that put the safety of our customers 1st, & we’ll continue learning, evolving our practices & investing the necessary resources to make sure customers are presented with the very best experience.”
Economist Stan Miles argued in The Post that customers are being given a false sense that they are in a secure environment, when, in fact, they are not. Miles added the lack of competition is the reason Apple is not being forced to take security as seriously as it needs to.
Interestingly, even though Google does not rely on a security argument to control app access — although it screen apps before they are published — The Post’s analysis found 134 Fleecewear on the App Sore & just 70 on the Play Store, earning $365m & $38.5m, respectively, lending credence to the idea that a false sense of security really is worse than nothing at all.
Epic Apple Emails
Annoyed by having to give up 30% of their revenue to the App Store, Epic Games, the publisher of blockbuster game Fortnite, recently pulled Apple to California court arguing that its store is a monopoly the courts should break up.
Besides getting Apple’s top leadership on the record about their business, the trial also found a trove of emails showing internal company struggles, dating back years, over a lack of App Store security.
For example, Eric Friedman, head of Apple’s Fraud Engineering Algorithms & Risk unit (FEAR) wrote in a 2016 email that Apple’s screening process for apps is, “more like the pretty lady who greets you with a lei at the Hawaiian airport than the drug-sniffing dog,” The Post reported.
Even Apple’s head of software engineering, Craig Federighi, ultimately testified in court last week that the level of malware on the Mac platform is “unacceptable.”
Apple’s App Store PR
On April 21, Apple’s Chief Compliance Officer testified in front of the US Congress about the number of scam apps in the App Store. “Unfortunately, no one is perfect,” Kyle Andeer observed.
“But I think what we have shown, over & over again, is that we do a better job than others. I think one of the real risks of opening up the iPhone to side loading or 3d-party app stores is that this problem will only multiply,” drawing a dramatic contrast between the company’s public statements & its own data.
Apple has dealt with a series of security woes lately. The company’s Find My Device function was recently found to be vulnerable to data theft. In Mar., Apple rushed out a fix for a memory-corruption bug. The same month, cyber-criminals were targeting Apple developers with a trojanised Xcode project to install a backdoor for spying & data exfiltration.
Epic Games also sued Google Play to get around paying the 30% fees to the platforms. The Apple case is with the judge & both parties are awaiting a ruling.
Circle of Trust
“Unfortunately, just by association, malevolent application developers on the AppStore have extended Apple’s circle of trust to apply to their apps quite easily,” Setu Kulkarni with White Hat Security explained.
“Consequently, when an app is on the AppStore, the silent majority of everyday users just click & install without ever worrying about the provenance of the application.
Why not? They’ve chosen to pay the high price of entry into the Apple ecosystem which touts privacy & security as some of its key benefits & differentiators.”
Protect its Customers
Considering Apple’s size, reputation & resources the company certainly could be doing more to protect its customers from malicious apps, he added.
“While security professionals will continue to raise and spread awareness around digital safety, it is really Apple who has the proverbial megaphone to raise awareness amongst its customer base & also to ultimately ensure that the App Store does not become a vehicle for perpetrating fraud & scams,” Kulkarni concluded.