Apple has revealed that in 2020, Apple blocked potentially fraudulent transactions worth more than $1.5 billion on its App Store. The company prevented the theft of money, confidential data and users’ time and kept nearly 1 million “risky and vulnerable” new apps away from customers.
“Threats have been present since the first day the App Store launched on iPhone and they have increased in both scale and sophistication in the years since,” Apple said.
“It takes significant resources behind the scenes to ensure these bad actors can’t exploit users’ most sensitive information, from location to payment details,”
Launched in 2008, the App Store is home to more than 1.8 million apps and is visited by over half a billion people each week across 175 countries. Sales worth $519bn were facilitated through the platform in 2019, consulting firm Analysis Group revealed in a June study supported by Apple.
Last year, the company said more than 180,000 new developers launched their apps on its platform, which had 1.5 billion active devices, compared to 1.4 billion in 2019. But with increased usage of apps, security threats have also grown.
App Review
The App Review team is an essential line of defense, carefully reviewing every app and every update to ensure they adhere to the App Store’s strong guidelines on privacy, security, and spam. The guidelines have changed over time to respond to new threats and challenges, with the goal of protecting users and providing them with the very best experience on the App Store.
Apple’s goal is always to get new apps onto the store. In 2020, the team assisted more than 180,000 new developers in launching apps. Sometimes this takes a few tries. An app might be unfinished or not functioning properly when it’s submitted for approval, or it might not yet have a sufficient mechanism for moderating user-generated content. In 2020, nearly 1 million problematic new apps, and an additional nearly 1 million app updates, were rejected or removed for a range of reasons like those.
A smaller but significant set of these rejections was for egregious violations that could harm users or deeply diminish their experience. In 2020 alone, the App Review team rejected more than 48,000 apps for containing hidden or undocumented features, and more than 150,000 apps were rejected because they were found to be spam, copycats, or misleading to users in ways such as manipulating them into making a purchase.
Some developers perform a bait and switch: fundamentally changing how the app works after review to evade guidelines and commit forbidden and even criminal actions. When such apps are discovered, they’re rejected or removed immediately from the store, and developers are notified of a 14-day appeals process before their accounts are permanently terminated. In 2020, about 95,000 apps were removed from the App Store for fraudulent violations, predominantly for these kind of bait-and-switch manoeuvres.
In just the last few months, for example, Apple says it has rejected or removed apps that switched functionality after initial review to become real-money gambling apps, predatory loan issuers, and pornography hubs; used in-game signals to facilitate drug purchasing; and rewarded users for broadcasting illicit and pornographic content via video chat.
Another common reason apps are rejected is they simply ask for more user data than they need, or mishandle the data they do collect. In 2020, the App Review team rejected over 215,000 apps for those sorts of privacy violations. Even with these stringent review safeguards in place, with 1.8 million apps on the App Store, problems still surface.
Users can report problematic apps by choosing the Report a Problem feature on the App Store or calling Apple Support, and developers can use either of those methods or additional channels like Feedback Assistant and Apple Developer Support.
Fraudulent Ratings and Reviews
App Store ratings and reviews help many users make decisions about which apps to download, and developers rely on them to incorporate new features that respond to user feedback. Apple relies on a sophisticated system that combines machine learning, artificial intelligence, and human review by expert teams to moderate these ratings and reviews to help ensure accuracy and maintain trust. Since 2020, Apple has processed over 1 billion ratings and over 100 million reviews, and over 250 million ratings and reviews were removed for not meeting moderation standards.
Apple also recently deployed new tools to verify rating and review account authenticity, to analyse written reviews for signs of fraud, and to ensure that content from deactivated accounts is removed.
Account Fraud
Sometimes developer accounts are created entirely for fraudulent purposes. If a developer violation is egregious or repeated, the offender is expelled from the App Store Developer Program and their account terminated. Apple terminated 470,000 developer accounts in 2020 and rejected an additional 205,000 developer enrolments over fraud concerns, preventing these bad actors from ever submitting an app to the store.
Despite fraudsters’ sophisticated techniques to obscure their actions, Apple’s aggressive monitoring means these accounts are terminated, on average, less than a month after they are created. Apple’s work to ensure the safety of users who download apps extends even beyond the App Store. Over the last 12 months, Apple found and blocked nearly 110,000 illegitimate apps on pirate storefronts. These storefronts distribute malicious software often designed to resemble popular apps — or that modify popular apps without their developers’ authorization — while circumventing the App Store’s security protections.
And in just the last month, Apple blocked more than 3.2 million instances of apps distributed illicitly through the Apple Developer Enterprise Program. The program is designed to allow companies and other large organizations to develop and privately distribute internal-use apps to their employees that aren’t available to the general public. Fraudsters attempt to distribute apps via this method to circumvent the rigorous App Review process, or to implicate a legitimate enterprise by manipulating an insider to leak credentials needed to ship illicit content.
In addition to fraudulent developer accounts, Apple works to identify and deactivate fraudulent user accounts. In 2020 alone, Apple deactivated 244 million customer accounts due to fraudulent and abusive activity. In addition, 424 million attempted account creations were rejected because they displayed patterns consistent with fraudulent and abusive activity.
Payment and Credit Card Fraud
Financial information and transactions are some of the most sensitive data that users share online. Apple has invested significant resources in building more secure payment technologies like Apple Pay and StoreKit, which are used by more than 900,000 apps to sell goods and services on the App Store. For example, with Apple Pay, credit card numbers are never shared with merchants — eliminating a risk factor in the payment transaction process.
With online data breaches frustratingly common, these protections are an essential part of keeping users safe. But users may not realize that when their credit card information is breached or stolen from another source, fraudsters may turn to online marketplaces like the App Store to attempt to purchase digital goods and services that can be laundered or used for illicit purposes.
Apple says it focuses relentlessly on this kind of fraud as well. In 2020 alone, the fusion of sophisticated technology and human review prevented more than 3 million stolen cards from being used to purchase stolen goods and services, and banned nearly 1 million accounts from transacting again. In total, Apple protected users from more than $1.5 billion in potentially fraudulent transactions in 2020.