System and Security Info App - What happened?

A few weeks after releasing our App "System and Security Info" in the iOS AppStore it is time to review what happened in the meantime.

tl;dr

The App was a huge success with more than 50,000 downloads within the first week. Then Apple removed the app from the AppStore and left us with no reasonable way to provide updates.

Intro

The :doc:"System and Security Info" App(or short "SysSecInfo") was originally written to allow expert and non-expert users alike to check their iPhones for jailbreaks. The result was shown with technical details in order to pinpoint what exactly may or may not be a security problem. So, instead of just showing "Jailbreak: YES/NO", there was a complete list of security related checks and their results. Suspicious results were called 'anomalies'.

Apart from showing some basic system information such as memory and CPU usage, the App was able to show a process list. Even though it was technically possible to request and show a process list and the APIs used were not private, but rather not well documented, no other App seemed to be able to do the same.

Apparently the App hit a nerve both for users and Apple alike. Ordinary users who legitimately bought and own their iPhone suddenly had a tool at their disposal to inspect certain security related aspects of its operating system. Of course, if you jailbroke your phone, your would know about it. On the other hand, wild scenarios where the tool might come in handy range from jealous husbands installing spyware on their wife's phone to states spying on political dissidents or whistleblowers.

So, what happened with the App and Apple? The following timeline outlines the facts:

Timeline

Note: Dates are written as DD.MM(.YYYY)

  • 28.4.2016 - v1.0 waiting for review

  • 4.5. - v1.0 approved. pending developer release

  • 4.5. - v1.0.1 waiting for review

  • 5.5. - v1.0.1 approved. ready for sale

  • 6.5. - v1.0.2 waiting for review

  • 7.5. - v1.0.2 approved. ready for sale

  • 9.5. - public announcement and press release

  • 9.5. - We received a few support requests due to "injected libraries".

  • 9.5. - v1.0.3 in review

  • 9.5. - 14.5.

    • The App reached No. 1 in "Top paid apps" in relevant stores (US + EU) within hours.

    • Received numerous support requests due to "injected libraries" - most with screenshots.

    • Received four requests for promo codes: one blogger sent 3 reminders/followups - the first reminder 6 minutes after the initial request

    • Received offer to make a German translation (for free?)

    • Received 7 emails about one typo

    • The App got bad reviews:

      • Missing documentation about 'injected libraries': The issue was already fixed, but we are still waiting for Apple to complete the review.

      • Apparently our website's contact form must be insecure, because we link our PGP-key next to the web contact form and that person does not know how to use PGP/GPG.

    • Read rumours (on twitter) that our App may be using private APIs, which is not the case as opposed to many other apps

    • Received request via contact form to reply with an email address (which is easily visible right above the contact form)

    • Received threat to tip off Apple about private API calls, unless the secret behind the process list is revealed

  • 14.5. - Fraud App stole our App icon and sold open source App from github for $2.99

  • 14.5. - v1.0.3 was not approved and App removed from AppStore

  • 14.5.-17.5. - A few related/similar apps suddenly appear in the app store

  • 17.5. - Online media report about our App being removed from the AppStore

  • 18.5. - Another fake App makes it into the AppStore. $1.99: Our logo. Our company name. Our support website. Not our App. 'System and Security Info™'

  • 19.5. - Yet another fake App 'System and Security info ® od interpreta Tran Luong'

  • 20.5. - Both revised apps were rejected, one without process list.

  • 20.5. - Sent appeal to stop discrimination.

  • 21.5. - Tran Luong is allowed to continue his scam operation with a different logo.

  • 21.5. - Appeal was declined by Apple.

  • 23.5. - Uploaded "System and Security Info - Censored Edition" with all useful features disabled - in review

  • 24.5. - Apple kills process list with iOS 9.3.3 beta.

  • 25.5. - The Censored Edition is rejected because we wrote that jailbreak detection and process list are no longer available.

  • 20.6. - One App in the AppStore changes its logo to our App's logo. And another fake App appears in the AppStore. A content dispute was opened for both apps.

  • 28.6. - Apple removed both fake apps from sale.

Details

On May 14th 2016 Apple removed our App from the AppStore. This is what Apple wrote via iTunes Connect:

Upon re-evaluation, we found that your app is not in compliance with the App Store Review Guidelines. Specifically, we found:

2.19: Apps that provide incorrect diagnostic or other inaccurate device data will be rejected

22.2: Apps that contain false, fraudulent or misleading representations or use names or icons similar to other Apps will be rejected

For this reason, your app will be removed from sale on the App Store at this time.

...

2.19 Details/22.2 Details

We noticed that your app provides potentially inaccurate and misleading diagnostic functionality for iOS devices to the user. Currently, there is no publicly available infrastructure to support iOS diagnostic analysis. Therefore your app may report inaccurate information which could mislead or confuse your users. We encourage you to review your app concept and incorporate different content and features that are in compliance with the App Store Review Guidelines.

Later with our attempt to update the App, the following comment was sent with the rejection:

Specifically, we found that the app and app metadata contains references to jailbreak and anomaly detection. Since iOS does not provide public APIs to support this detection, the feature must be removed from your app and app metadata.

Furthermore, as we also discussed on our previous call May 14, the app is also violating our user privacy policy by using low-level API calls to replicate functionality that we have removed from iOS. This feature must also be removed from your app.

The second paragraph is a subtle reference to the process list. So we decided to try again with a 'Lite' version of the app without process list. It comes as no surprise, that this app was rejected as well.

After a few iterations of back and forth between Apple and us we decided to try another approach and actually remove both process list and jailbreak detection. The new App named "System and Security Info - Censored Edition" was rejected, too, with the following comment:

We noticed that your app's metadata includes the following information, which is not relevant to the application content and functionality:

App icon: See attached icon

App name: System and Security Info - Censored Edition

App description: Features no longer included: + Jailbreak detection + Security anomaly detection + Malware detection + Process List

The one question remains unanswered even to this day: Why are other apps allowed to incorporate jailbreak detection into their apps, e.g. most banking apps? This is discrimination. At one point Apple even argued that we should report other apps that provide such features. (Of course they did not actually want us to submit a list of Apps.)

Speculations

Apple tends to treat security issues as marketing issues. The brand must be protected. Products are augmented with a shiny dream reality where everything just works and problems do not exist. There are no security problems, so there is no need to check for security problems. The fact that an App claims to discover security problems and the fact that this App went to no. 1 on the "Top paid Apps" list of EU and US AppStores within a few days does not conform to their marketing view.

This question comes to mind: Apart from Apple, who would benefit from removing our App from the AppStore?

  • Criminals / Black Hat Hackers: If undetected, it is far easier to successfully launch an attack on any number of iPhones to spread malware, spyware and other fraudulent software.

  • Government Agencies: If for whatever unlikely reason a government agency with virtually unlimited resources wants to secretly install software on your iPhone, it is definitely much easier to do so without you having a tool that can detect suspicious behaviour and allows users to view code signing information. Interesting side fact: Every software download from Apple is uniquely customised for your specific download and in most cases associated with your Apple account. It would technically be possible to deliver somehow customised software to a specific target phone.

Suffice it to say, that white hat hackers, security researchers and ordinary users are not on the list.

Support requests

Starting from the release of our software we have received quite a number of support requests. Most users wanted to know how to interpret the results of our jailbreak detection. Since we were not allowed to update the software, we put a detailed description onto our support website.

Some of the remaining questions (italic) and our comments are worth mentioning here:

  • Typos, enhancements and feature requests: Again, we cannot update the App. All effort put into improving the app would be wasted entirely.

  • We received a few emails like My neighbour/wife/employer/"they"... installed something on my iPhone. I always suspected that I'm being followed.... Of course, we have the perfect solution. However it is unclear to me how we can provide assistance or even reveal our solution with a world conspiracy undermining our every action. The irony may have been lost in a reply, so we left these messages unanswered.

  • The App is not available in German/other languages.: We cannot update the App.

  • a utehr,hs ut rchsrcoh.su,rc u. (Questions in foreign languages): nuqneH. qatlho' email. (Answer in Klingon)

  • Feature XY is not working anymore with iOS XYZ: Well, we are aware, but we cannot update the App.

Conclusion

Concerning the short life of our App, it mostly boils down to this: The iOS AppStore basically acts like a monopoly for iOS apps. There is only one AppStore for iOS. We have no legal or other means to force our App into the AppStore. That's it.

We put a lot of time and effort into building a really useful security monitor for iOS. About 50,000 users agreed with us and bought the App, which barely covered our development costs. (You should keep in mind that Apple keeps 30%.) The whole experience of having your work removed from the AppStore for arbitrary reasons was not entirely unexpected, but it was probably worth the effort anyway. We learned a lot about how to communicate with a lot of supporting users. And in addition to learning about the AppStore release process, the whole project gave us a good baseline for future apps.

Ben Fuhrmannek