A third party iOS app store that evaded Apple’s official App Store review process

Written by

Claud Xiao, writing for Palo Alto Networks:

Apple’s official iOS App Store is well known for its strict code review of any app submitted by a developer. This mandatory policy has become one of the most important mechanisms in the iOS security ecosystem to ensure the privacy and security of iOS users. But we recently identified an app that demonstrated new ways of successfully evading Apple’s code review. This post discusses our findings and potential security risks to iOS device users.

The app we identified is named “开心日常英语 (Happy Daily English),” and it has since been removed by Apple from the App Store. This app was a complex, fully functional third party App Store client for iOS users in mainland China. We also discovered enterprise signed versions of this application elsewhere in the wild. We had not identified any malicious functionality in this app, and as such we classified it as Riskware and have named it ZergHelper.

Dave Verwer, who linked to this post in his latest edition of iOS Dev Weekly], wrote this:

Claud Xiao wrote about an app released late last year which presented one of two sets of functionality based on your location. When launched outside China it showed a fully featured app to help you learn English, but inside China it showed an App Store style app that (ab)used enterprise certificates to install pirated apps.

App Store review is (and always has been) fundamentally flawed in this respect and there’s no easy solution. This time it was the user’s location that was used as the gate to the alternative functionality, but it could have used any number of other checks to appear well behaved during the review process. Unfortunately the way that app review currently works makes situations like this almost impossible to prevent. Even if it were possible, these kind of gates are used by all sorts of apps for completely innocuous, or even user beneficial reasons as well. Trying to shut this kind of hole down isn’t the answer.

I get the sense that this is, at least in part, Apple being a victim of its own success (a success that continues to expand as Apple moves into China, India, etc.) The App Store is beyond huge and, perhaps, beyond manageable using Apple’s existing mechanisms.