
Beware, iPhone Users: Fake Retail Apps Are Surging Before Holidays - gnicholas
http://www.nytimes.com/2016/11/07/technology/more-iphone-fake-retail-apps-before-holidays.html
======
Cagrosso
Funny, Apple made a fuss earlier this year that they were cracking down on "My
First App" type applications, but they let shoddy, fraudulent, poorly
translated applications through no problem...

~~~
enjo
There are entire classes of applications that solve real problems that people
have. They are aimed at adults, which means they might show a bit of nudity.
Those applications are absolutely disallowed by the Apple nanny.

It pisses me off to no end that you can't build those applications, but this
stuff isn't caught by their filter.

~~~
jasoncchild
Please, how much legit productivity software comes bundled with "a bit of
nudity"

~~~
calbear81
There are a whole class of applications that solve REAL problems that require
"a bit of nudity" that Apple disallows.

~~~
Infinitesimus
Mind giving us examples?

~~~
CaptSpify
Medical related apps for one.

~~~
jasoncchild
Thought they existed in the App Store. Either way, I'm still perplexed at what
"real problems" would be solved.

~~~
CaptSpify
Anatomy-learning apps. Medical diagnosis apps. Just because _you_ can't think
of a legit reason to use something doesn't mean it doesn't exist.

~~~
jasoncchild
My point is these apps exist already, in the App Store...

~~~
CaptSpify
Do they? Apparently I need iTunes to browse the app-store, so I can't check.
If so, then how do they get around the ban?

------
gnicholas
Having dealt with the iOS approval process several times, it is interesting to
see that the system has this weak spot. The approval process is known for its
stringency (especially compared to the Play Store), but clearly there are some
vulnerabilities lurking.

~~~
flashman
Well, there is an element of confirmation bias. We don't know whether the
successful apps represent one-hundredth or two-thirds of the submitted apps.
But earlier this year Apple did say it was trying to decrease approval
times,[1] maybe quality control took a hit.

[1] [https://www.bloomberg.com/news/articles/2016-05-12/apple-
sho...](https://www.bloomberg.com/news/articles/2016-05-12/apple-shortens-app-
review-times-in-push-to-boost-service-sales)

------
threeseed
Pretty extraordinary that Apple is letting these through.

And some are blatantly flouting the rules e.g. putting Nike.com as their
support website.

~~~
ungzd
Common situation for any closed app store — Google Play has the same fraud
apps and most of Chrome App Store extensions are malware.

~~~
ferbivore
Neither of those has a review process, though. You just pay a few dollars and
can upload whatever you want. Apple's stores do, which is why seeing this many
fraud apps is surprising.

~~~
CameronBanga
Not true, every app on Google Play goes through review. I'm not sure about
Chrome store, but I presume it may also likely see review for every app.

~~~
weaksauce
Google play does not review each app unless it's done after the fact. You pay
a fee and upload your binary and then it's available. My understanding is that
they have a permissive model that relies on users flagging the bad stuff and
then they pull it from the store after the fact.

------
mysterypie
What possible utility do people get by using a "retail app" rather than the
web? Wouldn't the store's website and/or normal shopping websites (Amazon,
etc.) have everything that the Foot Locker app has?

Have people been trained or deluded to "always get the app" when it's not
necessary?

~~~
chrisseaton
When I'm around my house rather than at my desk and I realise I need to buy
something I get my phone out and order it using the Amazon app.

For example I could be in the garage, out of engine oil, phone out, scan the
barcode on the old one using the camera, oil turns up on my doorstep first
thing the next morning, sometimes only ten hours later if I do it in time.
Takes literally ten seconds tops.

Not so strange is it? See how it saves time and hassle compared to the laptop?

Also some people use phones and iPads as their primary or only computer. I
would guess especially less wealthy or technically literate people. And the
apps are often much more accessible than the websites on those devices.

~~~
mysterypie
I noticed in your example about engine oil that you didn't download and
install the Pennzoil app or the Castrol app :-).

I get your point about the Amazon app if you use it all the time, you're
signed up for it, and the workflow in the app is seamless. But the Foot Locker
app? For a once a year purchase of tennis shoes?

I'm still thinking that people install these niche apps because they've been
indoctrinated into it. Like the way people type "ebay.com" into Google rather
than typing ebay.com into the address bar.

------
coldcode
For example do a search for 1010!, generally you will find dozens of identical
(maybe a slight different icon) apps all with a person's name as the company.
I think they are all the same codebase and run by some kind of white label
company. I have no idea how anyone makes money off of so many dupes.

------
0x0
Link only shows "Log in - New York Times" and a login form, flagged.

~~~
thecatspaw
shows up fine for me.

I use ublock origin and privacy badger, which is probably why

------
ungzd
> or even lock the phone until the user pays a ransom

How is it possible?

~~~
eric_h
Yeah, I'm disappointed that they dropped that line in there with zero
explanation.

My understanding is that this should be impossible, as it could likely only be
accomplished by calling private APIs. Calling a private API gets an app
submission rejected automatically (it's caught by a computer, not a human).

~~~
ksk
>Calling a private API gets an app submission rejected automatically (it's
caught by a computer, not a human).

Its rather arbitrary. In a lot of cases it doesn't because the checker is
poorly coded. For e.g. if a selector name inside your OWN code clashes with
that of a private API (which is not published or even something you should
know) it causes the submission to fail. And then people just resubmit and it
gets magically approved. People have also reported that it is possible to
bypass the checker either using some dynamic runtime trick or figuring out a
way to silence private API calls when the app detects its being looked at.
(Usual cat and mouse game)

[http://openradar.appspot.com/28252227](http://openradar.appspot.com/28252227)

~~~
eric_h
Thanks, I didn't realize that it was relatively easy to bypass. I did know it
primarily relied on string matching, but always thought the solution was to
rename your methods when you hit a conflict with Apple's private APIs

------
Waterluvian
Wouldn't this be incredibly easy to discover? If number of published apps
divided by account age is greater than threshold, raise review red flag when
user attempts to publish new app.

~~~
ksk
Well you could just cheaply purchase tiny companies who wrote like one app in
2010 and never made any money on it.

