Trick with geodata: How to turn an iOS app into a pirate tool by injecting code
Apparently it has already happened several times that harmless iPhone apps have loaded code that allows illegal activities. The app review team is being tricked.
App Store on the iPhone: Apple bans piracy apps, but finds it difficult to check downloaded code.
(Image: tre / Mac & i)
In recent months, iPhone programs for streaming piracy have been distributed several times via Apple's App Store. The corresponding functions appear to have been loaded into apps that initially look harmless - a technique that is generally permitted, but can also be misused.
Harmless app delivers stolen streams
The last known app of this kind went by the name of "Collect Cards" - and it even made it to the top of the ranking of free programs in several countries. As 9to5Mac has researched, it used React Native, a JavaScript-based cross-platform framework. With the help of Microsoft's CodePush SDK, it is possible to change parts of an app without having to submit an update to the App Store.
CodePush itself is not prohibited according to Apple's app review guidelines. The developers also make use of geodata: the possible location of the user's IP address is checked to ensure that the piracy portion is not reloaded at Apple's place of business. With "Collect Card", a harmless card-collecting app was turned into an offer that passed on series, films and more from well-known streaming providers to users. A hidden interface appeared for this purpose.
Geofencing against Cupertino
The geofencing trick is actually nothing new; even the ride-hailing company Uber is said to have used this approach years ago - and deactivated problematic tracking functions in Cupertino. Apple is working with a comparatively small team here: data from 2021 shows that a team of 500 people has to analyze up to 100,000 apps every week. Much of this is automated. CodePush could - at least theoretically - also be used to download malware restricted to the app or fraudulent offers. 9to5Mac found an entire GitHub repository with code from several pirate streaming apps.
"Collect Cards" is said to have included content from Amazon Prime Video, Disney+, Netflix, HBO Max and even Apple TV+. Initially, it looked as if the pirate content had only been activated in Brazil, but other countries were later added.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
