Apple and Privacy

Apple failed to protect their users

• Apple said the iPhone was a “highly personal device” and promised they had “design[ed] security into the core” of their platforms. Apple said safety and privacy was “of critical importance to users” and said they designed security into the core of its platforms. Apple claimed their devices protected their “entire ecosystem, including everything users do locally, on networks and with key internet services.” Apple was committed to “helping protect customers with leading privacy and security technologies.
• Apple claimed that its app store was the “most trusted marketplace” with the “tightest controls.” Apple claimed to provide “layers of protections to ensure that apps” were free of malware and tampering. Apple said their security controls for apps provided “a stable, secure platform for apps” and ensured users could use their devices “without undue fear of viruses” and other attacks.
• Apple CEO Tim Cook called privacy a “fundamental human right.” Because of that, Apple promised users that it wouldn't gather their personal information to sell to advertisers or third parties.
• Apple’s vulnerabilities were a bag of cash to cybercriminals. Cybersecurity researchers found and sold iPhone exploits for as much as $2 million. Their app store was said to be “teeming with scams.”^[1]
• Apple claimed to forbid apps from gathering user data without permission. But, the Washington Post reporter found that his phone encountered 5,400 trackers in a single week. Earlier that year, Apple had released an ad that said “what happen[ed] on your iPhone stay[ed] on your iPhone.”

App Store vulnerability for users

• The App Store was a core growth area for Apple that brought in billions per year for the company. Apple’s app store grossed $64 billion in 2020 and saw a 28% increase in revenue from it that year. The reason being was Apple took a 30% commission from all in-app purchases made through apps hosted on the iOS Store that generated $1 million or more a year. Apple cut that commission down to 15% for companies that did not make over a million a year. The commissions Apple made from the app store was the biggest driver of their inter-services business, which brought $53 billion to Apple in 2020. Apple did not disclose their profit from the app store though
• The App Store hosted nearly two million apps and generated half a trillion dollars in sales. The app store was one of the largest centers of commerce that was crucial for businesses. The app store was described as a “crucial gateway to customers” for businesses. The app store was the sole way iPhone owners could download software to their phones, but it wasn’t as safe as Apple said. Apple said it needed to control app distribution or risk turning the app store into a “flea market” Apple insisted that tight control over iOS was necessary to keeping their system secure and protecting the privacy of its users.
• Apple leaned heavily into claims that their app store was “the most secure app marketplace in the world.” Apple said user trust was at the foundation of why they created the app store. Apple said they vetted every app before it was published on their app store to ensure they were safe, secure, useful and unique. Apple’s claim of being devoted to security created a false sense of safety for users.
• A high-profile Apple security engineer bemoaned the weakness of Apple’s app review team and the feeble review process. In 2013, the head of Apple’s Fraud Engineering Algorithms And Risk Team, Eric Friedman, Said Apple’s app review team was “bringing a plastic butter knife to a gunfight.” Friedman said of the app review process, “please don’t ever believe that accomplish[ed] anything that would deter a sophisticated attacker.” Apple did not have anyone in charge of rooting out fraud in the app store until Oct. 2018.
• Apple’s 500-person app review team had to work 10-hour days, review 50-100 apps per day, and only spent 13 minutes evaluating each app. Apple received applications for thousands of apps a day, but their app review team members did not have coding backgrounds, nor were they required to have specific tech skills to be on the review team. The former head of Apple’s app review team said the qualifications for the job were “that they could breathe, they could think.” App reviewers spent only 13 minutes on each app evaluation. Apple’s review process focused more on blocking malicious software than examining the thousands of app submitted daily to ensure they were legitimate.
• Apple had known for years that apps on the App Store were scamming iPhone users out of millions of dollars, yet failed to stop them from invading the App Store. As early as 2012, the New York Times was sounding the alarm of the security risks of the app store. They reported about the hundreds of complaints saying the App Store was not as secure as the company said it was. Because of their lack of action, Apple’s App Store was said to be “teeming with scams” by 2021. Of the top 1000 highest grossing apps, nearly 2% of them were scams. Scams and fleeceware was far worse on iOS than on Android. A March ’20 study found the App Store had 134 fleeceware apps, whereas Google only had 70. Fleeceware apps on the App Store were downloaded and estimated 500 million times.^[2]
• Apple profited off App Store scams and had little incentive to fix the problem. In 2021, Apple claimed that they would reject apps that tried to rip off users by charging too much. But Apple did not address the situation comprehensively and thus some scam apps were staying on the App Store for months or years at a time. The scam apps were estimated to have defrauded Apple customers out of approximately $48 million. Apple made a 30% commission off all in-app purchases, The top 2% of app developers generated 95% of the App Store’s revenue, and nearly 2% of the top 1,000 highest grossing apps were scams, so Apple had “little incentive to spend money” on fixing the problem.
• Scam apps usually bought fake app reviews to elevate their ranking in the App Store. Apple had known about scam app’s fake reviews since 2012. In 2013, the head of their Fraud Engineering And Risk team lamented the fact that Chinese apps were requesting users give them 5 star reviews, which the app review team wasn’t catching. Some fake reviews for apps didn’t even talk about the app at all in their review, instead referencing nail salons and dog collars. Some scam apps required the user to review their app just to use it, but only allowed them to choose a 4 or 5 star review. Nearly 25%-30% of app store reviews were found to be fake.^[3]
• Some scam apps vaulted to the top charts in the App Store. A scam QR reader that made $30,000 in May 2017 alone was ranked #8 on Apple’s top charts for top grossing utility app. A scam VPN app, whose description was written in broken English, was on the top 10 list of top grossing productivity apps. Another scam QR reader was ranked #235 of overall top grossing iOS apps, higher than the official apps for the UFC and PGA. A blood pressure app that claimed to be able to detect blood pressure through the iPhone camera was ranked no. 12 in the medical category
• Scam apps made their money through tricking users to sign up for subscriptions to their service, bilking hundreds from users each year. Scam apps would list themselves as free apps in the store, then prompt users to sign up for a free trial that became an auto-renew subscription. Because of the way Apple’s subscription system worked, many free trials automatically became auto-renewing subscriptions. Some users ended up in $3,000+ per year subscriptions without even knowing about them. A dating app had a fake woman immediately text user’s who had just downloaded the app, then required the user to spend $20 to start messaging with the woman.
• Some scam apps tricked users into pressing their device’s Touch ID to confirm a subscription. A scam app claiming to measure heart rates had users place their finger on the Touch ID, then dimmed the display to hide the payment authorization screen. A heart rate app duped users into paying $89 a year through this tactic. It was banned from the App Store, but found its way back on it eight months later under a different name. More than 500 apps used Touch ID tricks.
• Some scam apps outright lied and pretended to be major corporations or spoofed legitimate apps. Several VPN apps falsely told users their devices were infected with a virus after they downloaded it and convinced them to buy software they didn’t need. Other apps pretended to be from major brands like Amazon and Samsung, leading one user to spend $19 on a TV remote app that was Samsung actually released for free. In the weeks leading up to Christmas in 2016, hundreds of fake retail and product apps popped up in Apple’s app store. The apps claimed to be from a wide range of real companies like Dior, Foot Locker and Dollar Tree. These apps would spend money on paid search ads to propel them to the top of the search results screen. Apple did not examine apps to see if they were legitimately associated with the brands listed on them.
• Scam apps exploited an Apple program that gave large companies the ability to produce and share an app without being reviewed first. Apple had a program for major businesses that gave them the ability to distribute internal apps to employee’s without Apple’s review. Illicit software distributors found ways to hijack the program to distribute hacked versions of major apps like Spotify, Angry Birds and other apps. When Reuters contacted Apple about the illicit apps in the App Store, Apple took them down. But within days the fake apps were back up using different digital certificates. Apple had no way of tracking the real-time distribution of digital certificate giving illicit software producers the ability to distribute the hacked apps.
• Scam apps could bring in millions for themselves while providing a worthless service or broken app. A VPN app that duped customers out of $400 a month was described as a “completely worthless service.” The app made $80,000 a month. A scam keyboard app made $2 million a year despite the fact that it didn’t function properly. A scam QR Code reader made $5.3 million a year even though the iPhone’s camera provided that service for free. Another scanning app brought in $14.3 million a year. A weather alert app made more than $1 million from their scams.
• Some scam apps applied as one app then completely changed their contents after being approved by Apple. It was said to be “easy” for scammers to circumvent Apple’s App Store rules. App developers would submit a seemingly innocuous app and then change them into a phishing app after approval. Apple was aware of this despite banning the behavior.
• Scam apps could devastate people’s lives and endanger children. A man had his life savings worth over $600,000 stolen from him after he downloaded a copycat bitcoin wallet app that stole his bitcoin information. Popular social chatting apps had over 1,500 complaints alleging unwanted sexual advances made on the app, many of which targeted children.
• Apple was a strong proponent of subscription models, which brought in consistent profits. In 2017, Apple held an intimate invite-only conference for small developers where they insisted the developers start charging through a subscription rather than a one time fee. Apple had over 300 million paying it for subscriptions, a majority of which were for third-party apps. Apple even secretly bought Google ads for third-party apps that had subscriptions. Apple made it difficult for users to find the setting that let them cancel their subscription.
• Apple products continued to allow apps to communicate with third party data companies after developing rules against the practice. A Washington Post investigation found that in one week alone, a reporter’s iPhone encountered nearly 5,400 trackers in one week alone. Apple tracking protections didn’t actually block apps from accessing obscure phone data identifiers, even when users enabled the do not track feature. A 2019 investigation by the Wall Street Journal found that 79 out of 80 of the iPhone apps they tested for tracking properties had an average of four trackers each. Most of those apps were promoted by Apple’s ‘Apps We Love’ feature.
• Software developers had figured out how to build tools that allowed developers to override the iPhone’s block on data tracking. Facebook paid people $20 a month in gift cards to let them have near-total access to the user's iPhone and data. Big corporations recorded every tap and swipe users made in their app without permission from the user or Apple. Apple also gave third-party apps access to the FaceID scanner that allowed the apps to see a wireframe representation of users’ faces and a live read-out of 52 unique micro-movements of users faces. The apps were able to store that data on their internal systems.
• Apple promoted the fact that it itself couldn’t even access information on people’s iPhones but neglected to mention they could access the same information through iCloud. Apple actually pushed users aggressively to sign up for iCloud. iPhones sent call histories, including phone numbers, dates and times, and duration.

iPhone vulnerability

• iPhone and other devices could be hacked through increasingly simple measures, like opening an infected website or merely receiving a text. iPhones could be hacked into when users simply visited a website. The vulnerability had been known to Apple for years. Scammers in China were able to hijack people’s Apple IDs using Apple’s ‘Family Sharing’ feature and make purchases worth hundreds of dollars. Android’s systems did not find any interaction-less bugs like the ones iOS had. Researchers were also able to hack into Apple pay even when a user’s phone was locked.^[4]
• Apple could not figure out how to stop zero-click attacks or ensure software vulnerabilities stayed patched. Apple reportedly spent years trying to figure out how to stop zero-click attacks to no avail. In May ’21, Apple released an iOS update that contained a software vulnerability they had previously patched in the last iOS update. A security researcher once spent months trying to let Apple know about security vulnerabilities, but was ignored for nearly half a year.^[5]
• Apple invested little into their bug bounty program, whereas Microsoft and Google invested heavily. Apple’s bug bounty program paid less than Microsoft or Google’s. Apple only spent $3.7 million on their bug bounty programs, whereas Microsoft spent $13.6 million and Google spent $6.7 million. Because of this and the unfriendly nature of Apple regarding their bug bounty program, cybersecurity firms just sold their security findings to outside entities rather than tell Apple.