27 comments

[ 2.3 ms ] story [ 78.0 ms ] thread
How does this even work? The iOS pop-up should have priority over any attempts for the app to block pressing areas of the screen.
You’d think!

This is not just possible, it's actually extremely easy to do.

Hoping to share a proof of concept soon.

Any app developer tampering with this should get their app pulled out of the App Store, this is unacceptable.
Yes. And it's even more unacceptable that the system is vulnerable to this kind of tampering.
No, it’s not.
What is not?
“Even more unacceptable…”

It’s not more unacceptable for an exploit to exist than it is for the exploit to be used. One is a risk, the other is actively attempting to do harm.

Yes. The review dialog should be shown by the system and the app itself should have no way of tampering with it.

This should be the case for all such interactions, including permissions, image library selection etc.

I realize APIs are hard to change but this is one of the cases where I think Apple should just fix it even if it bricks well-behaved apps until they can be patched (which could be never).

It’s cheating so they should have their developer account banned with all their apps.
knowing how dealing with the ios support goes, i doubt this will happen any time soon.
I'm surprised this alert isn't presented from SpringBoard to prevent tampering
are they putting transparent UI elements over the rating dialog and absorbing the taps? that's happened before in other platforms. not mobiles, but web browsers.
Yes but even Microsoft got the UAC dialog right...no user mode program can hijack it. For a company like Apple, this is laughably bad.
Can you describe it in words before the proof?
Since the user didn't show what happens when the submit button is pressed, I'm keen to believe that the pop-up is just a fake gimmick that just leads to the App Store to have the user write the review and rate the app manually.
It’s described how it’s the system dialog and not a fake.
Not an IOS developer, but I think they are not blocking the buttons, just asking for the review in a loop. To avoid being caught by the App Store approval process, probably this is controlled by a feature flag enabled after a call to a remote endpoint.
You can only present this alert 3 times a year. Also, you cannot configure it to have a rating already set. Also, when the alert is presented, it is animated. You would see the animation if it were in a loop.
Nothing like making full use of the first time then.
And also developer cannot check how many times it has already been shown.
Given that this exploit seems to watch for the window appearing, they probably can count. They could store a count somewhere and increment the saved count when they see the window.
I can confirm this, as an iOS developer.
Someone send this to the Epic lawyers. Although I feel like Epic already has enough evidence of how robust Apple's app store review process it.
Very curious if this comment thread can accumulate other examples. I’d be spitting mad if it were an app that I wanted to use and I now had to claw back a fee for.
The linked Twitter account seems to be doing this full time for the last few months, worth checking out his feed.
"It looks like the app is using the native review dialog, then observing windowDidBecomeVisible: for the container window that’s rendered in-process, and putting something on top of that to prevent interactions other than five-star reviews."

From https://twitter.com/_inside/status/1397540108971266049