An iOS app rating flaw lets developers create apps that cannot be opened until the user gives it a five-star review.
It’s the latest discovery by FlickType developer Kosta Eleftheriou, whose Twitter bio now describes him as “Professional AppStore critic.” Eleftheriou has indeed made a name for himself identifying high-profile scam apps that made it through app review, some of which have made millions of dollars for their developers …
He has even gone as far as filing a lawsuit against Apple, accusing the company of breaching its contract with developers by failing to properly police the store.
Eleftheriou spotted the latest flaw being exploited by the UPNP Xtreme app, posting a video demo to Twitter. As soon as you open the app, Apple’s review pop-up is triggered. However, the “Not now” button that would normally allow a user to dismiss the dialog appears non-functional (I assume it is simply relaunching the pop-up).
Not only that, but attempting to give the app anything less than five stars also prevents the user from dismissing the dialog. Only giving it a five-star review allows the app to be opened.
As with some of the earlier scam apps found by Eleftheriou, this is not an obscure one sitting in a dusty corner of the App Store.
This developer has more than 15M downloads and $MILLIONS in revenue.
Nor is the review pop-up a fake one, or dependent on some clever workaround.
This is the iOS system rating prompt, not a custom look-alike one.
The worst part? This trick is EXTREMELY easy for any developer to do, and not limited to this app.
A key element in Apple’s defense in the Epic Games case has been that its app review process keeps scam apps out of the store. Eleftheriou has persistently argued that this isn’t the case.
Apple also says they conduct a “robust” review process – yet this fraud takes place immediately upon launching the app. Even an automated check would have caught this! But with no competing app stores on iOS, Apple doesn’t care enough to improve their ways
Apple would of course respond by saying that far more scam apps would make it into the App Store without the review process, recently noting that it stopped more than $1.5B in potentially fraudulent transactions last year. All the same, it’s certainly not a good look when an app like this can pass review.
Update: Some are questioning how Eleftheriou can be certain it’s the native dialog, and he has replied. We’ve also been able to verify it for ourselves. The code only works on some iOS devices.
FTC: We use income earning auto affiliate links. More.