Yes. The review dialog should be shown by the system and the app itself should have no way of tampering with it.
This should be the case for all such interactions, including permissions, image library selection etc.
I realize APIs are hard to change but this is one of the cases where I think Apple should just fix it even if it bricks well-behaved apps until they can be patched (which could be never).
are they putting transparent UI elements over the rating dialog and absorbing the taps? that's happened before in other platforms. not mobiles, but web browsers.
Since the user didn't show what happens when the submit button is pressed, I'm keen to believe that the pop-up is just a fake gimmick that just leads to the App Store to have the user write the review and rate the app manually.
Not an IOS developer, but I think they are not blocking the buttons, just asking for the review in a loop. To avoid being caught by the App Store approval process, probably this is controlled by a feature flag enabled after a call to a remote endpoint.
You can only present this alert 3 times a year. Also, you cannot configure it to have a rating already set. Also, when the alert is presented, it is animated. You would see the animation if it were in a loop.
Given that this exploit seems to watch for the window appearing, they probably can count. They could store a count somewhere and increment the saved count when they see the window.
Very curious if this comment thread can accumulate other examples. I’d be spitting mad if it were an app that I wanted to use and I now had to claw back a fee for.
"It looks like the app is using the native review dialog, then observing windowDidBecomeVisible: for the container window that’s rendered in-process, and putting something on top of that to prevent interactions other than five-star reviews."
27 comments
[ 2.3 ms ] story [ 78.0 ms ] threadThis is not just possible, it's actually extremely easy to do.
Hoping to share a proof of concept soon.
It’s not more unacceptable for an exploit to exist than it is for the exploit to be used. One is a risk, the other is actively attempting to do harm.
This should be the case for all such interactions, including permissions, image library selection etc.
I realize APIs are hard to change but this is one of the cases where I think Apple should just fix it even if it bricks well-behaved apps until they can be patched (which could be never).
They are blocking the buttons. https://twitter.com/_inside/status/1397540108971266049
From https://twitter.com/_inside/status/1397540108971266049