Apple continues to publicize the extensive measures it takes to secure apps and the App Store. It has an army of human reviewers and tools to review submitted applications. However, developers still let malicious apps pass inspection. Here are some of the techniques they use, and what Apple can do to stop them.

Apple uses comprehensive security measures to protect its apps from malware and tampering. Users can only download iOS and iPadOS apps from the AppStore, which first undergo a thorough review. This comprehensive effort combines automated systems and human reviewers to maintain high security standards. The company's app review team consists of more than 500 experts who must evaluate approximately 132,500 submitted apps every week and use a variety of tools to detect potential fraud and privacy violations. Despite these efforts, some malicious applications still slip through the cracks.

Earlier this summer, 9to5Mac reported on a pirated streaming app disguised as a photo management tool that managed to bypass Apple's App Store review team by using location-based features to hide its true purpose.

A product called "Collect Cards: StoreBox" was on the App Store for more than a year and eventually became the second most downloaded free application in Brazil. It was subsequently removed from the shelves. The app presents a simple interface to Apple reviewers in the US while offering pirated content from Netflix, Disney+, Amazon Prime Video, HBO Max and even AppleTV+ from other regions. By hiding all streaming-related features from U.S. users, Apple employees only saw a stripped-down version focused on photos and videos.

Despite all the precautions and screening measures in place, Apple continues to engage in a constant game of cat and mouse, trying to identify and thwart developers' deceptive tactics before putting their apps on the store. It's not hard to imagine that Google faces a similar problem, as it purges hundreds of bad apps from Google Play every year.

However, Apple has blocked a lot of fraudulent activity. Last year, Apple blocked more than 153 million fake user accounts and suspended nearly 374 million developer accounts due to fraud and abuse. Apple also said that in the past 12 months, it identified and blocked more than 47,000 illegal apps on pirated storefronts from reaching users. Unfortunately, bad actors continue to improve their methods, trying to circumvent Apple's protections through sophisticated techniques such as deception tactics and hidden features.

Another case of location-based spoofing occurred in 2017, when Uber was accused of setting up a "geofence" around Apple's Cupertino headquarters. For anyone using the app within that zone, including Apple's review team, the app automatically disables the code Uber uses to fingerprint and track users across the network.

In addition to location-based features, there are many more methods that unscrupulous developers can take advantage of. These methods take advantage of limitations of Apple's review process, which is the inability to thoroughly test apps in different locations or over long periods of time.

One strategy is to use ReactNative and Microsoft's CodePushSDK, which allows developers to update parts of an app after approval without having to submit a new build. Another approach is to delay geolocation API calls for a few seconds to evade detection during automated review.

Some developers only provide basic compliance functionality during the review process and then use CodePush to introduce hidden or malicious functionality. There are also developers who publish multiple applications with shared code bases through different developer accounts, making the task of tracking and removing all instances more complex.

In more deceptive cases, apps pretend to be innocent software but turn into something completely different once approved. It's almost impossible to stop developers from pulling these tricks.

However, Apple could improve its app submission process. For example, the review team can implement additional tests to check how the software behaves elsewhere. Apple could also be more proactive in identifying and removing fraud from the App Store, rather than passively accepting guidance from security researchers.