> When the app is opened for the first time, it waits a few seconds to call the geolocation API. This way, the App Store’s automated review process doesn’t see anything unusual in the app’s code. We also checked the app’s behavior by running it through a proxy to fake our location to San Jose, California. For this location, the app never reveals its hidden interface.
> After Apple approves the app with its basic functionalities, developers use CodePush to update it with anything they want. The app then reveals its true interface in “safe” locations.
Apple have locations all over the world they can test from and a proxy-like service they sell to users called “Private Relay”. They have all the necessary tools to easily combat this, except the staff to do so.
> When the app is opened for the first time, it waits a few seconds to call the geolocation API. This way, the App Store’s automated review process doesn’t see anything unusual in the app’s code. We also checked the app’s behavior by running it through a proxy to fake our location to San Jose, California. For this location, the app never reveals its hidden interface.
> After Apple approves the app with its basic functionalities, developers use CodePush to update it with anything they want. The app then reveals its true interface in “safe” locations.