I was told that Apple manually review source code of every app in AppStore so that there are no malware or scam apps. But now I’m not that sure.
There is, for example, Betternet VPN there, which doesn’t seem to be a safe app:
Not all free VPN apps are scams. However, in any situation where VPNs claim they’re free, the VPN provider is making money some other way. Some of the best VPNs like Hola VPN for example, use a freemium model or a legitimate advertising revenue model. However, other free VPNs that have thousands of positive ratings on app stores—Betternet VPN for example—have a high malware presence. And many free VPNs are actually out-and-out scams, which is why a paid VPN provider is often a better bet for security than a free one. – Malicious VPN Scams: What Is It & How To Prevent It At Scale - GeoEdge
Betternet is a well-known VPN that offers both free and paid versions. Despite its renown, Betternet VPN has a very troubling history. As we’ll explain further in this Betternet VPN article, a team of researchers caught Betternet embedding malware and tracking libraries in their VPN apps. – Betternet VPN Review - This Free VPN Comes with Risks
My questions:
Is it true that Apple manually review source code of every app in AppStore?
Is it true that Apple manually review source code of every app in AppStore?
This is a lot more complicated.
First, no, Apple does not review the “source code.” Typically developers will submit compiled code to Apple for review. Therefore, Apple does not have access to the “source code” and therefore they could not review it even if they wanted to.
So, then, do they manually review each app? No. As I understand it, they have automated tools which review every app. Sometimes, something in their automated tools may trigger a manual review, or perhaps when they receive complaints about an already approved app, they may manually review, but we should never assume an app available on the app store has been manually reviewed. There are way to many apps that Apple would never be able to provide enough man hours to manually review every app.
So how effective are these automated tools? From the outside we don’t really know. But from the various reports we have received from different developers, it seems that the tools are more effective with some things and not so effective with others. For that matter, it is clear that some unscrupulous developers have intentionally faked out the tools. For example, they may cause their app to behave differently for the first so many hours/days after it is installed but only run harmful code after the review process would be completed. While these sorts of things are certainly not the norm, they do happen and we can’t automatically trust every app that is in the store.
Of course, no man-made tool is perfect and so even if a developer is not intentionally trying to trick the review process, there is no guarantee that every protentionaly harmful scenario will be detected. And even when an automated review triggers a manual review, there is no guarantee that the human reviewer will always catch every potential problem.
No. They will certainly analyze the binary file uploaded from the developer, which allows them to catch the usage of libraries --native APIs, or third party SDKs-- that do not exactly match the intended app description like in “If your app is an ecommerce frontend, why does it need to access the microphone?” and stuff like that. But if the app sends data to another service, it’s not like Apple will exactly technically know what that service is doing with your data.
And of course this only include malicious developers, it does not include source code bugs that would create vulnerabilities from well-intented developers.
Given the above, no. But they are safer than downloading them from some unknown developer’s website or Github repository, I believe.
For the first, Apple review the apps, but not necessarily every line of code. I’ve no doubt they have automated testing for security and automated code reviews.
For the second, nothing is 100% secure and anyone who flat out says that the product they provide is either doesn’t know what they’re talking about or is lying. Many, many factors can have an impact on the security of a product from the written code which makes up the app, the infrastructure which hosts it, the servers which hold data and provide connectivity. People are the biggest risk from a security perspective, all it takes is for someone to make a mistake and this can cause a vulnerability somewhere in the product or it’s hosting.
In the example of VPN you provide, the app could be secure (as far as anything can be) but yes, the company is potentially profiling your traffic to provide information which targets adverts at you.
In the end, if something is free, you have to think about why that is the case, and in many scenarios, you become the product i.e. they’re making money off you rather than the app.