The most popular "privacy" tool in Apple's Mac App Store was stealing users' browsing history and sending it to China

Originally published at:


Hah, classic security stupidity - the app connects over HTTPS (It’s secure! 256 bitseseses! Banking grade!), but doesn’t check the certificate. So the authors of this analysis could trivially intercept its connection.


I am becoming convinced that Apple tests nothing.


[Too lazy to look up gif of Tim Cook sneering and shrugging]



Followed by this:

You’re either contradicting yourself or you are, in that second excerpt, adding copy which is neither here nor there regarding what looks to be the claim that Apple says the Mac Store is the safest place to download apps, but behold, here is evidence that it is not!


I saw this:

… Apple operates for Ios users …

And immediately thought of the Discworld god Blind Io.

I sure miss you, Mr. Pratchett.

On topic: I hate the App Store. It’s clunky to use, hard to find some things even when you have the exact name, and chock full of shady nonsense. With the latest version, they’ve buried your purchases behind an extra step – it used to be a tab option.

They are either banning things they shouldn’t be banning, or letting things go that they should be banning. It should have the word “clusterfuck” servicemarked.

There may be worse options, but there should be better ones by this point.


You all just misread the punctuation. Not this:

The best anti (adware & malware) app

but this:

The best (anti adware) & (malware app)


If you ever submit to the app store, you’ll quickly learn that a lot of the difference in ‘security’ between it and Google Play is marketing. Most of the testing is clearly a bunch of scripts checking for red flags inside the package, just like Play. There IS a human involved, but the time they spend testing is like, two minutes. If your app isn’t obviously doing something strange or against the rules they’re not likely to notice.

People for some reason think Apple does code reviews too, I can assure you they don’t.

That said, that two minutes does make some difference. If your package asks for a permission and there’s no obvious reason for it, they may flag you for it and ask what’s up. The totally automated approach Play takes isn’t really capable of doing that kind of thinking, so on the App Store you’d at least need your borderline-malware to have some kind of justification for wanting account data, or whatever. This does raise the bar.


Well, unless you count testing how many Apple hardware products thieves can steal in under a minute.


The other day the iOS App Store reviewers rejected my binary on the grounds that they had no idea how and why we use Bluetooth Low Energy, and would I please submit to them a video demonstrating our hardware. So I went and created a really genuinely crappy video demo and sent them the link, and the app was approved 15 minutes later.

(Edit: I’ll post a link to the horrible video if anyone’s interested)


I use Android so I knew my information would be stolen up front. Saves me a lot of grief.


I remember a line from 1984. “Always assume you’re being spied on, the only safe place is x amount of centimetres in your skull” (Paraphrased, 1984.

Yes, please do!

Not to mention you get to pay extra for cross platform apps for using the „curated“ app store, and get to wait longer for updates because they go through the curation process, whatever that may be. Apple is going off the rails, I am done with it for now.

Cory is the Daily Mail of boingboing

Is the app in the OP really more popular than Signal?

This topic was automatically closed after 5 days. New replies are no longer allowed.