A deceitful ‘Doctor’ in the Mac App Store

Patrick Wardle, Objective-See:

You probably trust applications in the Official Mac App Store. And why wouldn’t you?

Yup.

However, it’s questionable whether these statements actually hold true, as one of the top grossing applications in the Mac App Store surreptitiously exfiltrates highly sensitive user information to a (Chinese?) developer. Though Apple was contacted a month ago, and promised to investigate, the application remains available in Mac App Store even today.

Read the post for all the details (good work from Patrick Wardle and Twitter user @privacyis1st) but here’s a good summary from John Gruber, in a Daring Fireball post called The Curious Case of Adware Doctor and the Mac App Store:

What a bizarre story this is. Adware Doctor was a $4.99 app in the Mac App Store from a developer supposedly named Yongming Zhang. The app purported to protect your browser from adware by removing browser extensions, cookies, and caches. It was a surprisingly popular app, ranking first in the Utilities category and fourth overall among paid apps, alongside stalwarts like Logic Pro X and Final Cut Pro X.

Turns out, among other things, Adware Doctor was collecting your web browser history from Chrome, Firefox, and Safari, and uploading them to a server in China. Whatever the intention of this was, it’s a privacy debacle, obviously. This behavior was first discovered by someone who goes by the Twitter handle Privacy 1st, and reported to Apple on August 12. Early today, security researcher Patrick Wardle published a detailed technical analysis of the app. Wired, TechCrunch, and other publications jumped on the story, and by 9 am PT, Apple had pulled the app from the App Store.

So the issue was reported on August 12th but not taken down until 26 days later, on September 7th.

But wait, there’s more.

Guilherme Rambo, in a 9to5Mac post titled Additional Mac App Store apps caught stealing and uploading browser history:

When you give an app access to your home directory on macOS, even if it’s an app from the Mac App Store, you should think twice about doing it. It looks like we’re seeing a trend of Mac App Store apps that convince users to give them access to their home directory with some promise such as virus scanning or cleaning up caches, when the true reason behind it is to gather user data – especially browsing history – and upload it to their analytics servers.

Today, we’re talking specifically about the apps distributed by a developer who claims to be “Trend Micro, Inc.”, which include Dr. Unarchiver, Dr. Cleaner and others.

These apps have been removed from the Mac App Store.

This raises some serious issues. Is this the tip of the iceberg? Are there other apps in the Mac App Store that do the same thing, but are not yet discovered? Is this just one technique of many? And what about the iOS App Store?

I am very reluctant to run any app on my Mac unless I either know and trust the developer or the app comes from the Mac App Store. The Mac App Store is a trusted source. If that trust is broken, either on the Mac or iOS, that’s a real problem for Apple.

I’m hoping we see some formal response from Apple, with some sense that they are aware of the issues involved and have new steps in place to root out existing apps that use this “give us access to your Home directory” (or similar) approach, steps that will prevent this issue from recurring.