I seriously don't understand how Apple's processes are allowing this to happen.
How is it that simultaneously, so many apps fail review for tiny details, showing that apps really are having manual review done on them...
...and yet all this spam is getting through?
Forget opinions about Apple or the App Store generally. I'm far more interested in what the actual process failure is here. Because this is really bad and it's precisely what the whole concept of the App Store is meant to guard against.
So what the heck is wrong with their processes? This is such an "own goal" I'm baffled. This is supposed to be a core competency of the App Store. There's no benefit to Apple allowing all these spam apps. So how the heck is a company as generally competent as Apple messing this up so bad?
> How is it that simultaneously, so many apps fail review for tiny details, showing that apps really are having manual review done on them...
> ...and yet all this spam is getting through?
It's important to understand that App Review is not consistently nitpicky but rather randomly nitpicky.
Every indie dev has stories of urgent bug fix updates getting rejected for stupid, unrelated, nitpicky reasons, things that had already been in the app for months or years. Yet every indie dev also has stories of major updates flying through review in minutes, so fast you know it's impossible that anyone looked carefully.
I do get the impression that they're doing random inspections.
Apple seems to be bragging about that, but if you estimate how much time is spent on each app, the numbers look pretty bad. If 500 reviewers spend full-time 40 hours every week doing nothing but reviewing apps — no breaks, no meetings, no training, no vacations, etc. — that leaves only 12 minutes per app, maximum. And they're reviewing not just the app but the App Store metadata: release notes, description, screenshots. They definitely do metadata rejections.
> I do get the impression that they're doing random inspections.
As someone who's been responsible for various iOS App Store submissions for closing in on a decade, the impression I get is that the variation is primarily due to inconsistencies in process between reviewers. The corners probed by one reviewer might go entirely ignored by another and what one reviewer finds perfectly fine constitutes a violation in the eyes of another.
The Play Store review process on the other hand comes off as feeling almost entirely automated barring a handful of exceptions, which works fine until some innocuous change in code or the automated review system trips something somewhere and your app listing is removed. Good luck getting in touch with a real person to fix it.
> bug fix updates getting rejected for stupid, unrelated, nitpicky reasons, things that had already been in the app for months or years
This reminds me of code review in general. Some reviewers have the etiquette of "if it was there already, then it's outside the scope of this review," and some don't.
Maybe a reviewer should have two responsibilities:
1. Review the proposed _change_ and verify that it meets all criteria and doesn't introduce defects.
2. Make note of any existing defects, which are then recorded.
Maybe an app developer can be required to resolve everything found in (2) before the _next_ review.
> Some reviewers have the etiquette of "if it was there already, then it's outside the scope of this review," and some don't.
> Maybe a reviewer should have two responsibilities: [...]
For code review: you can make lots of different choices for responsibilities and still have a good code review process. It just needs to fit your goals and people in your organisation should be on the same page about it.
So for example for code review, I don't think the reviewer should try very hard to understand the change. Explaining the change so that it is easy to understand is one of the responsibilities of the author who proposes the change.
Similarly it's upon the author to demonstrate that the proposed change doesn't introduce any defects and to explain how it meets all criteria. It's not on the reviewer to go bug hunting.
That is so that the next guy who view the change in a few years in version control history to understand how the software developed (or how a bug was introduced) has a fighting chance to understand what happened from what was preserved in version control alone.
Code review is typically based on a premise that the person submitting the change is acting in good faith. This is the only reason it works, because otherwise it’s difficult to review them sufficiently. App review must consider developers to be potentially hostile.
Whenever I get a comment about a pre-existing bug in a code review I make a ticket to fix it and thank them for pointing it out, but I never fix it in the PR. It gets too messy for the other reviewers and too confusing for QA when you end up with a bunch of unrelated fixes in one update.
Things open source developers say because they don’t have experience with binary analysis. Not to say that Apple’s reviewers are going to be looking at IDA or Ghidra dumps, but they can see added capabilities, frameworks, symbols, or assembly and call graph changes.
Not that it matters, because they don’t have the time to manually review source code changes either. At best there’s likely some automated static analysis for undocumented API symbols and common malware signatures.
A larger issue is that to review these kinds of changes you need to have a baseline competency in understanding how code works, and that’s expensive to procure at the scale needed to do proper review.
> It's important to understand that App Review is not consistently nitpicky but rather randomly nitpicky.
This has been my experience as well. A long time ago, my company had an iOS communications app that we'd occasionally white-label for different clients (about 7, in total). The only changes to the apps were the color palette and the name/logo that appeared on the login page.
For whatever reason, we were never able to release the white label for the 4th client. All other versions sailed through review, with the occasional holdup because the terms of service web page linked in the app was part of a web site which, through its navigational elements, would allow one to sign up for our service online. This is against Apple terms if you don't also allow sign up in the app. We were usually able to get this resolved because it wasn't actually a sign-up form, but a form to request more information from our sales team.
For that 4th white label, that "sign-up page" became an issue we could never resolve. Our app was for enterprises, so a per-user purchase/sign-up in the app didn't make sense. We tried to move the terms of service and other required pages to their own web site with no links to anything on our company web page, but that was disallowed because it didn't link to our company web page. Apparently the only allowed solution was remove the request info page from our corporate web site.
In the end, we simply resubmitted as a new app and it was approved without issue.
I feel I understand how this happened. I’ve gone through the process multiple times - smooth sailing for many apps to getting rejected for 4 months de facto (we’re rejecting you know we will be back in touch) only to be told, “you download YouTube videos” … for a text based app with no download features!
What I think is this: apple is optimizing for a 24 hour turn around time. That means many systems do high level checks: entitlements, api calls, then simulator based testing. This means that if one targets specifically for simulator, there are certain ways around what is presented to AppStore, vs what is published. Further, there appears to be a check for similar references only in the target categories, or the terms placed in the App Review request. So gaming all of these features at once can lead to extremely smooth sailing by an organized effort.
>“you download YouTube videos” … for a text based app with no download features!
I've heard several stories of app reviewers opening and reviewing the wrong app, including entering the credentials for a demo account into some unrelated app or service. I imagine something like that could've happened to your review.
The problem is fundamentally that doing a thorough review of every app is unreasonably expensive and as a consequence, that will not happen.
You are then left with a trade off between false positives and false negatives. It is entirely possible to have both at once.
The real problem is that centralizing this process is in error. Because not all users are the same.
It makes sense to have a manual review process for e.g. games, where anybody can make a game but games are relatively expensive apps that can eat the cost of a manual review in exchange for the largely uninformed user being assured that the code is trustworthy. The review process could then e.g. exclude apps that screw with the operating system in order to implement some kind of shady DRM.
Some users are using their device in a professional context where lives are at stake if the device gets messed up and can justify an even more thorough review of anything that goes on the device.
Some apps don't require any meaningful permissions and if run in an appropriate sandbox should not require any review at all.
Some users are technically inclined and would like to run whatever code they want on their device, including code that modifies the operating system and code they wrote themselves.
There is no one size fits all. A system that pretends otherwise satisfies no one.
500 reviewers is what they have now and it's not working.
That it's 30% is also the problem. 30% is plenty to review a paid app in the top 1% of downloads, but >94% of iOS apps are free. Not least because Apple takes 30%, which puts a lot of paid developers out of business. But 30% of nothing pays for nothing.
I've found that you get what you pay for in the App Store (although my experience describes the Play Store).
The first mobile app I ever installed in 2015 was for-pay. I believe it was actually $14.95. It was worth every penny, because I'd used that website every day for years already. I was extremely eager to get the mobile app. It was a serialized podcast of sorts, and so having the app meant that I would have offline access to the podcast at the times of day (multiple) when I needed to use it.
I've purchased probably 3 or 4 apps, average price $10. And I was always happy to pay for the ones where I did, especially a fitness app where I gained little functionality but was able to support an indie programmer who'd made a really great offline-capable app.
In a few cases, I downloaded some free games, which I made sure interoperated with iOS so that my friend could play competitively. These games were sleazy, nasty, ad-infested, and probably Mafia owned or something. I needed a shower every time I played those games because, gosh, the things we did to earn coins were unspeakable. I happily uninstalled those games and I've never gamed again on mobile.
The apps I haven't paid for come in a few categories: indispensable utilities (password manager), preloaded brand apps (Android/Google properties), and paid services (my bank, my transportation, etc.)
So I don't really dabble much in free apps at all, because "free" means "ad-supported" or "freemium" or "spammers" and I just have no truck with that. You get what you pay for, and my phone doesn't have the space to be given over to fly-by-nights.
You’re fundamentally misunderstanding the point of app review. It isn’t to enforce that the platform sandbox works; the assumption is that it does. The review process is there to catch abuses that happen inside of the sandbox. This is things like asking for location access and actually using it to let people spy on you, or creating IAPs that are scams, or falsely claiming you’re affiliated with someone else and providing services that are not genuine. This is not a security problem but a quality problem.
That depends on the game. Does it need location for something like Pokemon Go? Does it want to access your contacts so you can find them in the game? Microphone for voice chat?
In some cases those can be justified, but that doesn't work in a sandbox that prohibits them.
When an app is updated you have to put it for review, but they don't seem to check anymore. I've worked with a couple of customers and we had to send Apple custom credentials for login, and they never use the credentials. Sure: perhaps they just wanted to see the boring login screen, or just do some automatic checking of the code. But apart from the first version, they don't seem to really open the app anymore.
The last app I submitted (a few weeks ago), they rejected it like 1 minute later.. Saying they wanted me to send them a link to a video of if being used (That is not a requirement that is written anywhere on the app store or its docs).. After replying with a video link they immediately accepted it.. I can only assume they just wanted to watch a video and give it a pass rather than bother actually opening it themselves.
Yep. I've had them do this multiple times, although my app was made to control specific hardware that they didn't have. I did put a "demo" backdoor into the app for them to use without the hardware, but they demanded a video. I thought that was pretty reasonable and sort of enjoyed doing it.
But... there is so much wrong with the App Store, and Apple purposefully keeps it that way. For example, the so-called search is an absolute sham. Apple claims that publisher name is one of the top three criteria for app search, but searching for our app by exact publisher name didn't bring it up AT ALL. At least not in the first 300 listings, which is where I stopped.
What WAS in those first 300 listings? 300 that didn't contain the search string ANYWHERE. The first few contained a similarly-spelled name that Apple replaced the search term with, without asking... essentially undermining our trademark. After that there was nothing but completely irrelevant results, including numerous FART APPS, which Apple decries as undesirable in its own documentation.
When challenged on this repeatedly, Apple (after initially blowing off my complaint with boilerplate) claimed to have reviewed the situation and found everything working fine. I would have had to escalate it to a legal issue asserting some kind of hijacking of our trademark (no idea if there's any legal ground to stand on there) to take it further.
Apple knows the search is bullshit and lies about it. You can test it yourself as a developer.
That's really funny. My guess is actually not laziness but their device just had some problem installing apps or whatever and they had a quota to fulfill.
Nah this is revisionist. I’ve launched top 10 apps since App Store began. There have always been scam apps and variety of attention paid even when they took TWO WEEKS to get back to you. It has always been BS, just faster BS now.
Apple requires demo/test credentials for apps, and when we push a new version, I frequently see that account log in from a 17.x.x.x (Apple's class A) IP address.
It might depend on the type of app (e.g. games vs finance etc) or the permissions the app requests.
Ditto - I think it's also human testing in my case (or randomised automated testing). We have a commenting feature, sometimes I see comments sometimes not.. I think I've always seen api requests come through.
Just wish it was a whole load faster... when you find a critical issue and want to get it out the door quickly, super frustrating to be waiting !
This is why I get so annoyed by people claiming that side loading will make iOS less secure. You trust open source apps on desktop all the time. I'd rather use crowdsourced trust indicators than some shmuck working at Apple.
>You trust open source apps on desktop all the time
The desktop has the luxury to afford not being as secure as your phone, which serves as a 2FA device, a digital wallet, something that can record your voice and location, and your main means of everyday communication.
Side-loading would just mean every person getting nagged or strong-armed to side-load alls kind of apps (from official stuff from major companies wanting to avoid Apple's pay-cut, to all kinds of shady BS), with average Joes and Janes getting their phone smashed with malware, spyware and such.
The app store review doesn't have to be perfect or catch all. It just needs to be better than no review, and it does fare majorly better than Android (e.g. studies showing the latter gets 90% of the mobile malware).
The app store process and notarization also means apps can be revoked.
> The desktop has the luxury to afford not being as secure as your phone
I don't understand this argument at all. I have everything on my desktop (laptop). Tax forms, credit card statements, bank statements, financial info, photos of all kinds, emails, ssh keys, etc., going back many many years.
> It just needs to be better than no review
It's not clear that this is true. I think that the existence of app review makes unwary consumers overconfident about the crapp store, and then they get scammed. That's how these scam apps exist and make money. The App Store is honeypot, a scammer's paradise. It's a lot easier to get yourself highly ranked in App Store search than it is to find people to scam on the open internet. But Apple tells consumers that the App Store is safe, which is a lie.
> it does fare majorly better than Android
The lesser of two evils is still evil.
> The app store process and notarization also means apps can be revoked.
>I don't understand this argument at all. I have everything on my desktop (laptop). Tax forms, credit card statements, bank statements, financial info, photos of all kinds, emails, ssh keys, etc., going back many many years.
Too bad. You shouldn't. Or maybe you should, but most people shouldn't.
Their desktop are horrible security wise, they have no expertise to secure them, and they don't even have backups for losing data.
Those people (and many more, who don't even need or have a laptop/PC) still have a mobile phone.
>The lesser of two evils is still evil.
That would only matter if life wasn't all about tradeoffs towards the lesser evil all the time, and if "perfect" was practical.
> Too bad. You shouldn't. Or maybe you should, but most people shouldn't.
Where are you supposed to keep them? iOS devices don't even give you direct access to the file system, and they tend to have a lot less storage space than desktops.
Not to mention, it's a lot easier to do actual work on your desktop, with a large screen, keyboard, and mouse/trackpad. What do you think people use Macs for, gaming? ;-)
> they don't even have backups for losing data.
This is a very weird statement. Desktops have more backup options than a locked down iPhone. Indeed, I backup my iPhone to my Mac. Try backing up your Mac to an iPhone. ;-)
And both Mac and iPhone have iCloud, if you want to use that.
> Those people (and many more, who don't even need or have a laptop/PC) still have a mobile phone.
The people who want locked down phones aren't even rational at this point. They aren't more secure. They just want to "feel" like they are more secure even when they aren't. They just wanna be coddled into a false sense of security. It's just constant pointless circular arguments. No amount of reassurance or claims of proof will help them out of the Stockholm syndrome.
For example I've never encountered someone personally or professionally that has ever had their android phone hacked. But if you talk to an iPhone fan you'd think that you'd get hacked within 5 minutes. It would be funny if it wasn't actually just sad.
>Where are you supposed to keep them? iOS devices don't even give you direct access to the file system, and they tend to have a lot less storage space than desktops. Not to mention, it's a lot easier to do actual work on your desktop, with a large screen, keyboard, and mouse/trackpad. What do you think people use Macs for, gaming? ;-)
Not having an ideal place to keep them is true, and that the desktop is more convenient for many classes of work is also true.
But they don't change the point I'm making. The point is that keeping sensitive data on the average person's computer, on the state that those are (loaded with all kinds of crap programs, clicking on whatever shady links, frequently duped for the most BS malware and spyware, and so on), is a bad idea.
Most average Joes, would be safer to keep, say their CC info, on a locked down phone than on their laptop.
>This is a very weird statement. Desktops have more backup options than a locked down iPhone.
Not so weird considering that for phones an internet backup comes as a one-click built-in operation on by default for many things, whereas for computers those options all require user activity, third party peripherals or accounts, and so on. Most people don't have a backup of their desktop/laptop. So this is again not what about is the ultimate possibilities, but what is the norm.
> The point is that keeping sensitive data on the average person's computer, on the state that those are (loaded with all kinds of crap programs, clicking on whatever shady links, frequently duped for the most BS malware and spyware, and so on), is a bad idea.
This is fearmongering exaggeration.
In any case, no, the point you made, which I responded to, was "The desktop has the luxury to afford not being as secure as your phone". But it doesn't have such a supposedly luxury, because a lot of people in fact do what you claim (absurdly) they shouldn't: store sensitive information on their desktop.
> Not so weird considering that for phones an internet backup comes as a one-click built-in operation on by default for many things, whereas for computers those options all require user activity, third party peripherals or accounts, and so on.
For better or worse, Apple pushes iCloud by default on Mac just as much as on iPhone, so there's no difference.
And this is where we disagree. Ask anyone working on desktop computer support, and you'll be surprised.
>In any case, no, the point you made, which I responded to, was "The desktop has the luxury to afford not being as secure as your phone".
That's an additional point I've made. You know, comments can have more than one. And I also stand by that comment: the phone is more tied to one's identity, often used as proof of identity for many services, and has access to more sensitive data and function than the desktop (from personal pictures, to a person's every voice conversation - which a compromised phone can eavesdrop-, and their every movement, plus, nowadays the best part of their social media use and chats).
Heck, the phone, via PIN and the like, is also used to verify a user on the desktop, for increasingly more services.
Your comment makes me incredibly angry. You bring up the point that people put important information on their phones, ‘lapcat points out that people use their computers for the exact same things, and you have the audacity to tell him that people shouldn’t be doing this? There’s a lot that can be done to help improve the security story on both phones and desktop computers but if your position stems from “people should not be using computers to do computer things” you are divorced from reality and should seriously reconsider any views you’ve built on top of that premise.
Or maybe you should consider alternative viewpoints and the point they're making. Also try not getting what the other person says wrong, complete with misquoting.
I never said “people should not be using computers to do computer things”.
I said that people shouldn't be storing sensitive data on their computers. And there's even more nuance to it, that you've also missed: first, that we're talking about the average person, and the state of their average laptop, vs their phone.
So not as in that people shouldn't do that all things being ideal, but as in that it is a bad security situation for most people, and for most average people worse than their locked-down phones.
If you think the average laptop (mac or not) is more secure than the average iOS device, you're mistaken.
I'd still like to see you explain what you meant by "The app store process and notarization also means apps can be revoked", because it sounds like you don't even have a correct technical understanding of the situation.
A great reminder that memes don't make for good arguments.
It's also funny how you missed the whole context, even despite further detailed explanation.
>I'd still like to see you explain what you meant by "The app store process and notarization also means apps can be revoked", because it sounds like you don't even have a correct technical understanding of the situation.
It means that arbitrary sideloading can't be revoked, whereas app store apps and notarized apps (not the same set, though the latter is a subset of the former) can.
Sideloaded apps bypass the app store, but you still need a central entity that has the notarization control/ability to revoke. And of course notarized software is still checked by that entity (e.g. Apple for notarized macOS apps).
> Sideloaded apps bypass the app store, but you still need a central entity that has the notarization control/ability to revoke. And of course notarized software is still checked by that entity (e.g. Apple for notarized macOS apps).
And this is precisely what people are calling for on iOS, to make it more like the Mac. It's assumed that Apple would require Developer ID and notarization for sideloaded iOS apps. Thus, sideloaded apps could be revoked just as easily as App Store apps.
I really don't get the argument that desktops don't need to be secure. I have my password manager (yes it is encrypted, but can be bypassed by a keylogger) and my ssh private keys on my desktop.
> You trust open source apps on desktop all the time.
I trust the software on my laptop far less than the software I install on my phone. I’m much more willing to install AppStore apps from random publishers than I am random software off the internet. There’s nothing on my laptop that didn’t come from a well known, reputable source, and web apps mean I don’t need to install nearly as much software on my laptop in the first place.
The fact that the majority of mobile malware targets Android, despite iOS users having much more spending power, seems to be rather compelling evidence that side loading does in fact make the os less secure.
> I'd rather use crowdsourced trust indicators than some shmuck working at Apple.
It isn't some shmuck working at Apple who reviews apps for quality and security, but some underpaid contractor on the other side of the planet who quickly needs to apply a checklist to your app before they lose the gig entirely for not meeting their hourly quota.
I wonder if it possible to really quantify how difficult it is to get an bad acting app for any store approved?
We've all heard stories about random bans and apps black listed and so on. Happened to some folks I know.
Having said that ...
I worked on an app recently that used location data heavily. I was told all about how picky Apple (and they mentioned Google too) would be, from folks online, and at work. Some folks even suggested hiring someone who had managed to get an app approved to help us get it approved.
I asked that everyone calm down ... and just let me TRY submitting the damn app first before we decided we're climbing a tall mountain or whatever they thought.
I got right in to the App Store and Google Play ... no problem.
Now granted my app is REALLY up front about using location data and such. But I wonder what the story really is?
I've heard (from random people) it's about whether the permission aligns with the category the app falls into.
A map app is assumed to have a legitimate purpose for location. But if you want to make a journalling app that automatically captures where you visit (like Apple just did) you'll have a hard time being allowed to make the argument.
That would make sense as far as my usage goes. The app revolves around logistics, it's a business focused app... all those things go hand in hand with location data.
I can imagine if a human saw it it would be a "yeah of course" kind of moment.
Some rando "free crossword puzzles", might get a closer look.
I still remember the early days when you needed a third party app to use your camera flash as a flashlight, and then having most of them request your contacts, location, and every other type of data that the OS would allow.
I really try to leverage builtin apps as much as possible. For example, I don't have a music playing app. I use "Files" and "Podcasts" which were preloaded. Files can play music for me just fine, because I don't have any playlists or sophisticated playback needs (I lied, I do have a few playlists made out of folders with files arranged just so.)
I don't really try to solve problems with 3rd party apps, like I don't have any adblocking, but I use NextDNS so the private DNS blocking is built in and I can use that from anywhere. I just use my default web browser and my default email reader and all that.
I think it's a fundamental type error that people tool up their little mobile device as if it's a desktop computer full of software. Again, I have little storage space to give over to a bunch of third-party cruft. So I use the preloaded apps to the best of their abilities, and I load stuff as I have a fundamental need or there's a paid service I'm accessing with them.
I uninstall apps frequently too. It is essential security review to reduce attack surface. I like how the Android 11 will revoke permissions that haven't been used in a while. It's good practice to remove your unused apps because then you are less likely to succumb to supply-chain attacks, among others.
In addition to what everyone else is saying, in my experience a lot of it can be explained by one simple thing: the reviewers are just plain bad at their jobs.
I'm not trying to be mean; it's just my experience. They generally don't familiarize themselves with even the most recent previous interaction, so they repeat the same mistakes that have already been resolved. They don't know their own rules. They imagine things that aren't there because some word sounded similar to another one, and they don't have enough technical context to actually understand what the words on their checklist mean.
Is that surprising? I don't think so! Think about what these people are being asked to do? They're repeatedly stepping through a tedious checklist full of stuff they barely understand, and then they have a choice of either waving an app/update through, or pissing off some developer. How many people with otherwise-marketable skills are going to stay in a job like that?
A few years ago, I made comments on HN about how I found Chinese Bonzi Buddy clones on the Mac App Store, except using different animals like tigers and lions. Same functionality of Bonzi Buddy outside of that.
It's absolutely astounding to me that this problem is still going on to this day, with even scammier apps.
It is worth noting that even the iOS App Store hosts multimillion dollar scams on it[1].
You have to remember that Apple struggled because developers weren't targeting their platform for a long time. The Mac was for creative software and little else. That problem has burnt itself into their psyche to such an extent that as far as they are concerned more software targeting their platform is always a good thing.
The upshot of this is Apple boasting about having 2 million apps in the App Store. This is the complete opposite of their normal product strategy where everything is pared back to the minimum.
Sadly you can't have 2 million apps and maintain a high standard. The costs to review each of those apps thoroughly would be astronomical.
> Sadly you can't have 2 million apps and maintain a high standard. The costs to review each of those apps thoroughly would be astronomical.
Well, that's part of the problem. Should we really have 2 million apps in the store, when 70% of them are knockoffs, scams or absolute garbage? That's currently one app for every 850 iOS users, it's a ridiculous number.
The estimate for Apple's cut for app sales & subscriptions last year was 85 billion dollars. Surely that can fund a decent reviewing process... but they also benefit from all this 'activity'.
Very likely these apps are just spammed and you don't get to see the rejected apps.
As for why the process isn't catching such obvious flaws - I'd say there's no strong incentive, the only feedback I've seen consistently is related to protecting their revenue cut - the rest is much more random, especially after initial review.
I think the most logical explanation is that app review is largely automated, perhaps with a permissive algorithm, while some sampling of apps are reviewed by humans with strict standards, which may be applied inconsistently because that’s how humans do.
It’s really not that surprising to me, given the scale of the App Store.
I know for a fact that some people manage to bypass Facebook Ads review process by bribing some local employees in developing countries (India, Indonesia etc..). I wouldn't be surprised if this was used with Apple as well as they usually tend to outsource these jobs in Developing countries.
>How is it that simultaneously, so many apps fail review for tiny details, showing that apps really are having manual review done on them...
...and yet all this spam is getting through?
Because a trillion dollar company chose to outsource manual app review to Indian call centre workers. End of story.
When u create a walled garden like this. The people who are more likely to get into the garden are the unscrupulous dodgy assholes who will learn how to, and do whatever it takes to exploit and profit from the system.
The good actors doing things in good faith are the ones who will have difficulty getting in.
Another example: Youtube: Content farm garbage gets promoted by the algorithm while well made videos get hellbanned by spurious copyright claims.
.....
Any system u make, people will find the best way to exploit it.
Like with a democratic system of government there needs to be transparency, accountability, ombudsmen, investigative journalists + a complex web of agencies and regulations and mechanics constantly working to stop it falling into total corruption and de-facto despotism.
These systems run by big corps are like the wild west, there is none of that stuff, so of course they immediately become completely corrupt.
> There's no benefit to Apple allowing all these spam apps.
You're being naive. Even if the crapware didn't sell, getting it into the AppStore costs the developer an annual subscription fee, and thus creates revenue for Apple. And if you've seen the AppStore, you know that 99% of apps are crapware with maybe 5 users.
There are 20M developer accounts. And Apple charges $100 per account per year. That's $2B in revenue. Apps on the App Store make $100B in revenue. So, Apple makes equivalent of 2% of Apps revenue from developer accounts. I doubt they'll intentionally risk the $100B revenue by making their App Store full of crapware for a 2% equivalent.
I think “developer accounts” doesn’t imply “pays $100 a year”.
I have an account on developer.apple.com, but never pay anything for it.
That gives me the right to generate a certificate to sign development applications and install them on a few devices (where the certificate will rapidly expire), but not to put anything on the App Store.
Sorry, I meant that the maximum they’re making is $2B. But in reality it’s surely a much smaller number. Which makes it even more unlikely that Apple is optimizing for developer fees.
They are not risking anything since they also take a 30% cut off any successful scam. This can only be stopped by goodwill somewhere up the management chain.
It's the same principle as Amazon choosing to ignore the scams on their store.
Amazon still benefits from scam reviews, for example, because those reviews entice people to make purchases from Amazon. Amazon profits from the scam, and has little incentive to do anything about it, given that the vast, vast majority of their customers don't know or don't care about fake reviews in the first place.
For the app revenue it seems you are off by an order of magnitude. That is the dev's revenue and apple takes 30%. Also, credit processing takes another cut, hosting,... . Risking that is still dumb, but far from the 2% number you gave.
Why would they have manual reviews? How would it scale with hundreds of thousands of developer accounts? It's mostly automated with rare manual escalation for "suspicious activity". The "process" is to ban the malicious accounts when reported, like everywhere else.
They quite literally justify the lack of sideloading and the 30% cut by saying that they provide you actual human services like review.
"The guiding principle of the App Store is simple—we want to provide a safe experience for users to get apps and a great opportunity for all developers to be successful. We do this by offering a highly curated App Store where every app is reviewed by experts and an editorial team helps users discover new apps every day. For everything else there is always the open Internet."
> I seriously don't understand how Apple's processes are allowing this to happen
My guess is the decisions are deliberately stochastic to stop human bias entering the chat. So we get sketchy apps slipping through the cracks, whilst developers who spent a lot of love and care polishing a fine app getting rejected.
Hanlon's razor is great when you apply it to your personal relationships, but it falls apart when you apply it to trillion dollar companies and their golden geese.
I don't see why we should assume malice based on market capitalization. It's easy to imagine a situation where an organization the size of Apple just doesn't have the competence to deal with all the spam. They're a huge organization, I doubt any one person has a complete view of App Store moderation especially (by definition) their unknown unknowns.
It depends on how they measure moderation in the App store. Everything may appear to be going well from what they can see and measure. I see no reason to believe apps are getting through because of bribery when we can explain this situation as "large organizations are inefficient".
Law of large numbers seems to be one people ignore. If I’m making a scam app, I’ll just use multiple accounts and hope one gets through eventually. I won’t be discouraged by rejects because I’ll have an automated system that handles everything including retries. If I’m banned, I’ll just buy a new account and try again.
How is it that simultaneously, so many apps fail review for tiny details, showing that apps really are having manual review done on them...
...and yet all this spam is getting through?
Forget opinions about Apple or the App Store generally. I'm far more interested in what the actual process failure is here. Because this is really bad and it's precisely what the whole concept of the App Store is meant to guard against.
So what the heck is wrong with their processes? This is such an "own goal" I'm baffled. This is supposed to be a core competency of the App Store. There's no benefit to Apple allowing all these spam apps. So how the heck is a company as generally competent as Apple messing this up so bad?