Apple reports on its forever war against App Store fraud

Apple’s ongoing fight against App Store fraud means the company has prevented in excess of $7 billion in potential fraudulent transactions in the last four years. This makes it pretty clear that fraud is a big business, and everyone should be aware of the threat.

The growing App Store fraud business

The company today released its fourth annual report into App Store fraud, and it sheds real light onto the scale of the problems Apple faces:

• In 2023, Apple prevented over $1.8 billion potential fraud — up 20% since it first published an App Store fraud report in 2020 — and it blocked over 14 million stolen credit cards.
• The company stopped 3.3 million accounts from transacting again. 
• Apple rejected more than 1.7 million app submissions during the year — not just for fraud, but for privacy and security failures, or poor/copied content.
• The company terminated nearly 374 million developer and customer accounts and removed around 152 million ratings and reviews over fraud concerns.
• Apple stopped more than 3.5 million stolen credit cards from being used to make fraudulent purchases in 2023.

The data points should form a signal warning to anyone in the app distribution business around the Apple ecosystem. They prove that significant attempts are regularly made to undermine personal and platform security.

How Apple protects the App Store

Apple’s App Store is protected by a range of human and automated systems, including app review and malware checks. Apple says its 500-strong app review team checks around 132,500 apps every week.

The company’s systems also identify fraudulent customer and developer accounts, which often go hand in hand, with developers crafting convincing customer reviews to create trust in their apps. “These accounts tend to be bots that are created for the purposes of spamming or manipulating ratings and reviews, charts, and search results, which threaten the integrity of the App Store and its users and developers,” Apple explained.

The company also works to combat “fleeceware” apps, software that is relatively innocuous, but costs an unreasonable amount of money. The company’s developer notes warn against these: “We’ll reject expensive apps that try to cheat users with irrationally high prices,” Apple says.

What risks exist as third-party stores open in Europe?

As the first third-party iOS App Stores prepare to open for business in the EU, Apple’s report must be seen as a checklist for protection. Not only should alternative stores invest in robust monitoring against such attacks, but would-be customers must review what protections exist before sharing payment or any other details with them.

People using these stores will need to protect system security against malware and must also take the time to ensure any apps they do install are what they say they are. For example, we all know the market for people’s private data is vast. Apple has sung a mostly solo song about this and has made major investments to protect customer privacy and explain why it matters. 

There’s quite clearly a market in grabbing your data. And given that not every App Store is like the other, customers will need to check each store’s privacy policy to ensure it is in line with what they expect. That’s particularly true since the Federal Trade Commission received roughly 1 million reports of identity theft last year.

Attackers are smart and sophisticated

The sophistication of attacks is also a matter of concern, particularly following a recent SonicWall Capture Labs report that explains how Android users face a scourge of malware-infested imposter apps — apps that pretend to be legitimate apps like Instagram, but are in fact socially engineered attacks.

Apple notes similar attempts. It said its teams have prevented some attempts in which fraudsters try to distribute what seem to be completely harmless puzzle apps that, once approved, actually turn out to be something completely different, including illegal gambling and predatory loans.

Perhaps more frightening, particularly to less-experienced users, Apple said its App Store fraud teams have encountered financial service apps “involved in complex and malicious social engineering efforts designed to defraud users, including apps impersonating known services to facilitate phishing campaigns and that provided fraudulent financial and investment services.” 

It’s important to understand the scale of these attempts. Building apps costs time and money, so it matters that Apple removed/rejected around 40,000 apps engaged in such ‘bait and switch’ attempts last year. Anyone opening an alternative app store must be prepared to protect against such attacks.

It’s also worth pointing out that Apple has prevented more than 47,999 illegitimate apps available on what it calls “pirate storefronts” from reaching customers. This also protects developers against illegally cloned apps, or genuine apps into which malware has been woven.

Fighting the fight

There are lots of opinions concerning Apple’s struggles to protect App Store and customer security. While millions of customers seem pretty happy with it, some argue that Apple uses the fact it offers the safest online storefront as a competitive advantage. That’s not much of an argument.

Hopefully, future independent stores will turn out to be just as committed to user security as Apple seems to be, because it looks as if tens of thousands of rogue fraudsters will be testing those stores to identify any weak points in security. Apple, meanwhile, continues to invest in tools and initiatives to address the ever changing threat landscape. Be careful out there.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.