While most people agree that Apple’s closed ecosystem is more secure than Android’s open ecosystem, that does not mean that Apple’s world is without risk.
This week Apple is removing hundreds of fake apps. These apps carried brand labels like Dillards, Nordstrom, Christian Dior and Salvatore Ferragamo. The actual brands have nothing to do with these apps, which is the problem.
While many of these apps only served up ads, some stole data, credit cards and credentials.
More interesting is how these apps were discovered.
They were not discovered by Apple’s security process. Actually, they were discovered because the New York Times and New York Post did research and shined a bright light on them. Once that happened, Apple removed the apps.
While Apple claims to review every app, that is not quite true.
Apple tries to be diligent about reviewing apps and they are pretty good. Just not perfect.
In one example, an organization calling itself Overstock Inc was selling (maybe) Ugg boots last Friday. The app was almost identical to one that was removed from the app store on Thursday. What a difference 24 hours makes.
One company in China, Cloaker Apps, makes these apps for many hacker clients. While they pretend that their clients are not doing anything wrong, in reality, it is all about the money. All they charge for an app is around $3,000. Hackers probably make that investment back in hours.
Apple started a process a couple of months ago to review every app in the app store but with companies changing apps on an hourly basis, even a company with the resources of Apple is challenged.
When developers get banned, they merely create a new ID and submit slightly modified versions of the crap that was pulled down the day before.
If people pay attention to the apps, in many cases, it will be simple to see that the apps are fraudulent – bad grammar, no history and bad or no reviews are just a couple of ways to detect rogue apps.
Organizations who do not have an official iPhone app are the most at risk because the hackers do not need to differentiate themselves from the real app. That being said, the grocery chain Kroger has 20 iPhone apps covering all of their brands and there are 19 fake Kroger apps from one vendor, The Kroger Inc, alone. The fake ads sell everything (including your credit card info). One example is a bottle of Dior perfume for $688. Not sure that I would buy that from a grocery chain. However, enter your credit card info and I promise your account will be lighter by that $688, at least, and I don’t think you will be getting any perfume in the mail.
This is not really a ding on Apple; they are trying hard.
Users have to be responsible as well.
Information for this post came from the NY Times.