Archives

itunes

Apple downplays complaints about App Store scams in antitrust hearing

Apple was questioned on its inability to reign in subscription scammers on its App Store during yesterday’s Senate antitrust hearing. The tech giant has argued that one of the reasons it requires developers to pay App Store commissions is to help Apple fight marketplace fraud and protect consumers. But developers claim Apple is doing very little to stop obvious scams that are now raking in millions and impacting consumer trust in the overall subscription economy, as well as in their own legitimate, subscription-based businesses.

One developer in particular, Kosta Eleftheriou, has made it his mission to highlight some of the most egregious scams on the App Store. Functioning as a one-man bunco squad, Eleftheriou regularly tweets out examples of apps that are leveraging fake reviews to promote their harmful businesses.

Some of the more notable scams he’s uncovered as of late include a crypto wallet app that scammed a user out of his life savings (~$600,000) in bitcoin; a kids game that actually contained a hidden online casino; and a VPN app scamming users out of $5 million per year. And, of course, there’s the scam that lit the fire in the first place: a competitor to Eleftheriou’s own Apple Watch app that he alleges scammed users out of $2 million per year, after stealing his marketing materials, cloning his app, and buying fake reviews to make the scammer’s look like the better choice.

Eleftheriou’s tweets have caught the attention of the larger app developer community, who now email him other examples of scams they’ve uncovered. Eleftheriou more recently took his crusade a step further by filing a lawsuit against Apple over the revenue he’s lost to App Store scammers.

Though Eleftheriou wasn’t name-checked in yesterday’s antitrust hearing, his work certainly was.

In a line of questioning from Georgia’s Senator Jon Ossoff, Apple’s Chief Compliance Officer Kyle Andeer was asked why Apple was not able to locate scams, given that these fraudulent apps are, as Ossoff put it, “trivially easy to identify as scams.”

He asked why do we have rely upon “open source reporting and journalists” to find the app scams — a reference that likely, at least in part, referred to Eleftheriou’s recent activities.

Eleftheriou himself has said there’s not much to his efforts. You simply find the apps generating most revenues and then check them for suspicious user reviews and high subscription prices. When you find both, you’ve probably uncovered a scam.

Andeer demurred, responding to Ossoff’s questions by saying that Apple has invested “tens of millions, hundreds of millions of dollars” in hardening and improving the security of its App Store.

“Unfortunately, security and fraud is a cat and mouse game. Any retailer will tell you that. And so we’re constantly working to improve,” Andeer said. He also claimed Apple was investing in more resources and technologies to catch wrong-doers, and noted that the App Store rejected thousands of apps every year for posing a risk to consumers.

The exec then warned that if Apple wasn’t the intermediary, the problem would be even worse.

“…No one is perfect, but I think what we’ve shown over and over again that we do a better job than others. I think the real risks of opening up the iPhone to sideloading or third-party app stores is that this problem will only multiply. If we look at other app stores out there, we look at other distribution platforms, it scares us.”

Ossoff pressed on, noting the sideloading questions could wait, and inquired again about the scam apps.

“Apple is making a cut on those abusive billing practices, are you not?,” he asked.

Andeer said he didn’t believe that was the case.

“If we find fraud — if we find a problem, we’re able to rectify that very quickly. And we do each and every day,” he said.

But to what extent Apple was profiting from the App Store scams was less clear. Ossoff wanted to know if Apple refunded “all” of its revenues derived from the scam billing practices — in other words, if every customer who ever subscribed got their money back when a scam was identified.

Andeer’s answer was a little vague, however, as it could be interpreted to mean Apple refunds customers who report the scam or file a complaint — procedures it already has in place today. Instead of saying that Apple refunds “all customers” when scams are identified, he carefully worded his response to say Apple worked to make sure “the customer” is made whole.

“Senator, that’s my understanding. There’s obviously a dedicated team here at Apple who works this each and every day. But my understanding is that we work hard to make sure the customer is in a whole position. That’s our focus at the end of the day. If we lose the trust of our customers, that’s going to hurt us,” he said.

For what it’s worth, Eleftheriou wasn’t buying it.

“Apple’s non-answers to Senator Ossoff’s great questions in yesterday’s hearing should anger all of us. They did not offer any explanation for why it’s so easy for people like me to keep finding multi-million-dollar scams that have been going on unchecked on the App Store for years. They also gave no clear answer to whether they’re responsible for fraudulent activity in their store,” he told TechCrunch.

“Apple appears to profit from these scams, instead of refunding all associated revenues back to affected users when they belatedly take some of these down. We’ve been letting Apple grade their own homework for over a decade. I urge the committee to get to the bottom of these questions, including Apple’s baffling decision years ago to remove the ability for users to flag suspicious apps on the App Store,” Eleftheriou added.

Apple did not provide a comment.

Apple and Google pressed in antitrust hearing on whether app stores share data with product development teams

In today’s antitrust hearing in the U.S. Senate, Apple and Google representatives were questioned on whether they have a “strict firewall” or other internal policies in place that prevent them from leveraging the data from third-party businesses operating on their app stores to inform the development of their own competitive products. Apple, in particular, was called out for the practice of copying other apps by Senator Richard Blumenthal (D-CT), who said the practice had become so common that it earned a nickname with Apple’s developer community: “sherlocking.”

Sherlock, which has its own Wikipedia entry under software, comes from Apple’s search tool in the early 2000’s called Sherlock. A third-party developer, Karelia Software, created an alternative tool called Watson. Following the success of Karelia’s product, Apple added Watson’s same functionality into its own search tool, and Watson was effectively put out of business. The nickname “Sherlock” later became shorthand for any time Apple copies an idea from a third-party developer that threatens to or even destroys their business.

Over the years, developers claimed Apple has “sherlocked” a number of apps including Konfabulator (desktop widgets), iPodderX (podcast manager), Sandvox (app for building websites), Growl (a notification system for Mac OS X), and in more recent years, F.lux (blue light reduction tool for screens) Duet and Luna (apps that makes iPad a secondary display), as well as various screen time management tools. Now Tile claims Apple has also unfairly entered its market with AirTag.

During his questioning, Blumenthal asked Apple and Google’s representatives at the hearing — Mr. Kyle Andeer, Apple’s
Chief Compliance Officer and Mr. Wilson White, Google’s Senior Director Public Policy & Government Relations, respectively — if they employed any sort of “firewall” in between their app stores and their business strategy.

Andeer somewhat dodged the question, saying, “Senator, if I understand the question correctly, we have separate teams that manage the App Store and that are engaged in product development strategy here at Apple.”

Blumenthal then clarified what he meant by “firewall.” He explained that it doesn’t mean whether or not there are separate teams in place, but whether there’s an internal prohibition on sharing data between the App Store and the people who run Apple’s other businesses.

Andeer then answered, “Senator, we have controls in place.”

He went on to note that over the past twelve years, Apple has only introduced “a handful of applications and services,” and in every instance, there are “dozens of alternatives” on the App Store. And, sometimes, the alternatives are more popular than Apple’s own product, he noted.

“We don’t copy. We don’t kill. What we do is offer up a new choice and a new innovation,” Andeer stated.

His argument may hold true when there are strong rivalries, like Spotify versus Apple Music, or Netflix versus Apple TV+, or Kindle versus Apple Books. But it’s harder to stretch it to areas where Apple makes smaller enhancements — like when Apple introduced Sidecar, a feature that allowed users to make their iPad a secondary display. Sidecar ended the need for a third-party app, after apps like Duet and Luna first proved the market.

Another example was when Apple built screen time controls into its iOS software, but didn’t provide the makers of third-party screen time apps with an API so consumers could use their preferred apps to configure Apple’s Screen Time settings via the third-party’s specialized interface or take advantage of other unique features.

Blumenthal said he interpreted Andeer’s response as to whether Apple has a “data firewall” as a “no.”

Posed the same question, Google’s representative, Mr. White said his understanding was that Google had “data access controls in place that govern how data from our third-party services are used.”

Blumenthal pressed him to clarify if this was a “firewall,” meaning, he clarified again, “do you have a prohibition against access?”

“We have a prohibition against using our third-party services to compete directly with our first-party services,” Mr. White said, adding that Google has “internal policies that govern that.”

The Senator said he would follow up on this matter with written questions, as his time expired.

A bug in a popular iPhone app exposed thousands of call recordings

A security vulnerability in a popular iPhone call recording app exposed thousands of users’ recorded conversations.

The flaw was discovered by Anand Prakash, a security researcher and founder of PingSafe AI, who found that the aptly named Call Recorder app allowed anyone to access the call recordings from other users — by knowing their phone number.

But using a readily available proxy tool like Burp Suite, Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone.

TechCrunch verified Prakash’s findings using a spare phone with a dedicated account.

The app stores its user’s call recordings on a cloud storage bucket hosted on Amazon Web Services. Although the public was open and lists the files inside, the files could not be accessed or downloaded. The bucket was closed by press time.

At the time of writing, the cloud storage bucket had more than 130,000 audio recordings, amounting to some 300 gigabytes. The app says it has more than 1 million downloads to date.

TechCrunch contacted the app developer and held this story until the flaw was fixed. A new version of the app was submitted to Apple’s app store on Saturday. The release notes said the app update was to “patch a security report.”

Despite a brief response to our initial email acknowledging the security issue, the app developer Arun Nair has not returned several requests for comment.


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using SecureDrop.