Apple Touts Fraud and Abuse Prevention in the App Store

A news release today from Apple appears to shed light on its App Store crime and fraud prevention tactics in 2022 but, much like previous versions, many questions are left unanswered or unexplained. Here is one such paragraph which makes me scratch my head:

In 2022, nearly 1.7 million app submissions were rejected from the App Store for various reasons, including concerns related to fraud and privacy. In more than one case this year, App Review caught apps using malicious code with the potential to steal users’ credentials from third-party services. In other instances, the App Review team identified several apps that disguised themselves as innocuous financial management platforms but had the capability to morph into another app. Nearly 24,000 apps were blocked or removed from the App Store for bait-and-switch violations such as these in 2022.

The first statistic here — 1.7 million app rejections — can be contextualized by a stat from the previous paragraph: 6.1 million App Store submissions in the same year. Roughly 28% of submissions were rejected, which is down from over 30% in 2017–2019, and perhaps as high as 40% in 2020. It is hard to read anything into that trend, though: it does not necessarily mean Apple lowered its standards or that developers were more compliant, as both could be true. Also, neither.

Apple also says it stopped “more than one” app that has “the potential” for credential theft. But how many is that? Is it two? Is it fifty? A bigger number would be more fitting for the apparent objective of this kind of report — to explain why iOS software distribution ought to be permitted only through the Apple-administered App Store instead of third-party stores — so the use of “more than one” is conspicuous.

Here is another lump of stats:

Last year, Apple blocked nearly 3.9 million stolen credit cards from being used to make fraudulent purchases, and banned 714,000 accounts from transacting again. In total, Apple blocked $2.09 billion in fraudulent transactions on the App Store in 2022.

Good stuff, though I will note Apple’s graphic for this section uses the phrase “potentially fraudulent transactions” — emphasis mine. While it is great news Apple is so careful in this area, it is not as though other payment gateways do not have their own anti-fraud mechanisms.

Again, the unspoken rationale for these news releases — which Apple started publishing around the time European regulators began looking into its App Store-only iOS software distribution policy — is that Apple is uniquely suited to protecting its users from fraud and abuse. But it has also repeatedly struggled with preventing pretty obvious scams. I do not think its failure to achieve a perfect success rate is an indication that App Store protections are ineffective, but the company’s own statistics are also not necessarily painting a complete picture.