Looks like Verichains completely misunderstands how 3d party protection software like Appdome work. Many game apps use the same “trick”.
The probe was for specific app-stores which can be found on jailbroken devices:
org.coolstar.SileoStore
com.opa334.Dopamine.roothide
com.roothide.manager
com.cokepokes.AppStorePlus
xyz.willy.Zebra
com.opa334.Dopamine
com.kahsooa.piqwkk.dummy
They also seem to not understand how Apple’s bug bounty works:
Predictable enumeration of all apps. As an example, you demonstrated than an iOS app is able to enumerate all installed apps.
The keyword here is all. Not by selectively doing an IPC call to a few known app IDs, which is a method of detecting a jailbroken device. The obfusction is probably part of Appdome or a similar solution, I don’t think Vietnamese bank app developers are after
exploiting private APIs. That $5000 bounty is a yearly salary for an engineer in Vietnam.
For context:
I think you’re the one getting confused, the private API described in the article can be exploited as a side-channel to detect any (or all) installed apps on a device. Anyone could prepare a list of Bundle IDs from popular apps (or even the entire App Store) and use this API to probe their presence.
Verichains also confirmed that this side-channel exploit works on the latest, non-jailbroken iOS devices. Imagine a random app knowing you have Tinder, your banking app, travel apps, health apps, etc., to profiling you. Are you okay with that?
You can’t compare this to 3d party protection software like Appdome. As they only detect the presence of dangerous apps or jailbreak via information related to the jb environment or that specific apps. They do not probe installed apps via Bundle ID by exploiting an side channel vulnerability of a private API that works on all devices (normal and jailbreak) like this case.
Brute-forcing a large set of Bundle IDs is bad and should probably be fixed, but it doesn’t qualify under Predictable enumeration of all apps. Because if an app is not on the App Store, such as with the JB IDs, you won’t know which ID to look for in the first place.
Besides, sneaking millions of bundle IDs in the code will require lots of obfuscation unlike hand picking a few blacklisted ones, and it won’t pass Apple’s review in such case.
I don’t say it shouldn’t be fixed, but the whole article is a PR fluff by Verichains, there is
nothing sensational about their findings, at least not in the way they make it sound.
I think you didnt get the point. Profiling users doesn’t require millions of Bundle IDs; just hundreds of popular installed apps e.g: dating (Bumble/Tinder), banking, chat, social media, travel, or health apps are sufficient to know about you. Also, the app can pass Apple’s review using obfuscation techniques similar to the banking apps in the article (and no, you dont need a lot of obfuscation, a simple XOR encryption of the whole list of Bundle IDs has been proved to be enough to bypass the Apple review in the article already).
Maybe related