Apple takeover bug fixed as iOS VPN Apps revealed to be ‘fleeceware’

News by SC Staff

Researcher reports Apple paying a US$ 100,000 (£80,000) bug bounty for finding a vulnerability in its Sign in with Apple feature, as three apps in Apple’s App Store found to be 'fleeceware.'

Just as a security researcher reports Apple paying him a US$ 100,000 (£80,000) bug bounty for finding a vulnerability in its Sign in with Apple feature, it is being reported that three apps in Apple’s App Store - with almost 80,000 downloads -  overcharge users and do not provide the services they claim.

The three fraudulent iOS VPN Apps attempting to scam users are available on the Apple App Store as Beetle VPN, Buckler VPN, and Hat VPN Pro. The researchers at Avast who made the discovery report data from Sensor Tower, a mobile apps marketing intelligence and insights company, showing that the apps have been downloaded more than 420,000, 271,000, and 96,000 times, respectively, between April 2019 and May 2020. 

The apps claim to be VPN apps, charging US$ 9.99 (£7.87) a week for a weekly subscription once their free three day trial expires. The apps’ all have high ratings, ranging from 4.6 to 4.8, and include enthusiastic reviews, all similarly written, which Avast considers may potentially be fake. In between the rave reviews, there are a few reviews warning of the scams. The apps’ privacy policies also have very similar language and structure. 

Links to the apps’ privacy policies:

Buckler VPN: https://bucklervpn.com/policy.html

Hat VPN: https://hatvpnpro.com/data-policy.html

Beetle VPN: https://beetlevpn.com/data-policy.html

Avast researchers installed the three apps and successfully purchased subscriptions to each app; however when they tried to use the VPNs, the apps only provided subscription options again. After attempting to purchase the subscriptions again, Avast researchers were notified they already have a subscription and thus were unable to establish a VPN connection using any of the apps. 

“Fleeceware apps fall into a gray area, because they are not malicious per se, they simply charge users absurd amounts of money for weekly, monthly or yearly subscriptions for features that should be offered at much lower costs. In this case, the VPNs are being sold for US$ 9.99 (£7.87) a week, when trustworthy VPNs cost ten times less.” said Nikolaos Chrysaidos, head of mobile threats and security at Avast. “These apps are not behaving maliciously so they circumvent screening processes to be added to the official app stores’ that users trust. With many people turning to VPN apps to protect their data while working remotely, this illustrates how important it is for users to research VPN apps before installing them, including who is behind the product, their track record with other products and user reviews, and experience in offering security and privacy apps.”

Avast advises that for users to recognise fleeceware apps, they should be aware of reviews that tend to look fake, with multiple users leaving a review like “Exciting” or “My love”, and look out for real reviews reveal the app does not actually work, or unknowingly charges users large sums of money. Fleeceware apps typically offer a free three to seven day trial, but can require users to enter their payment information before the trial begins, and automatically charge users unreasonable sums of money after the trial ends. 

They add that users should carefully note what happens after an app’s trial period ends and how much an app will charge after a free trial period, to check if the charge will be automatically deducted from their card on an ongoing basis unless they cancel the subscription. 

As to the fix for the sign-in vulnerability, researcher Bhavuk Jain explained in a 30 May blog post how he detected a bug that could have fully compromised third-party user accounts, regardless of whether or not users had a valid Apple ID. Jain explained that the computer company’s sign-in works similarly to 0Auth 2.0, adding that there are two ways to authenticate a user: 1) a JWT (JSON Web Token) or 2) a code generated by the Apple server. The code then generates a JWT. 

“In the second step, while authorising, Apple gives an option to a user to either share the Apple email ID with the third-party app or not. If the user decides to hide the email ID, Apple generates its own user-specific Apple relay email ID. Depending upon the user selection, after successful authorisation, Apple creates a JWT (JSON web token) that contains this email ID, which is then used by the third-party app to log in a user.”

Jain was able to request JWTs for any email associated with an Apple ID after the signature of valid tokens was verified using Apple’s public key so an attacker could forge a JWT by linking any email ID to it and gaining access to the victim’s account. 

Jain reported that Apple investigated its logs and did not identify any misuse or account compromise due to the vulnerability. 

Commenting on the serious flaw being uncovered thanks to a bug bounty programme, Jake Moore, cybersecurity specialist at ESET emailed SC Media UK to comment: “Bug bounties are an essential way of testing your security and can save a lot of money in the long run. Ideally, an internal department would test the security of a company, but bounties open it up to the whole technology community to become your dedicated full time CISO, offering full protection. It can be a fantastic way of quickly highlighting your vulnerabilities and ultimately leads to better infosecurity. 

"Hiring ethical hackers alongside bug bounty schemes helps to increase the protection of an organisation tenfold. This huge payout by Apple highlights the importance of the vulnerability they found; large companies will pay up when something is overlooked by their own internal developers.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews