Just yesterday, we reported on one of TrollStore perma-signing utility developer Lars Fröder’s posts on Bluesky sharing that some banking apps available in Apple’s App Store as of this writing utilize a 0-day sandbox escape technique to find out if certain unfavorable apps or services are installed on the end user’s device.
The findings sparked controversy, as iPhone and iPad owners don’t take kindly to banking companies using these hacky methods to snoop on users’ activities. That’s because Apple employs sandboxing to keep apps from doing specifically this, and to create so-called ‘lanes of the road’ that the apps are expected to operate in.
Today, finance security firm Verichains took to social media platform 𝕏 (formerly Twitter) to share a blog post in which they published an in-depth analysis of the technique these banking apps are using to see what applications users have installed on their devices without their consent, and it’s an interesting read.
According to the post, at least two known banking apps to include BIDV SmartBanking and Agribank are using such a technique, and there could be more. These apps purportedly take advantage of a private iOS API known as SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions to see if their users have certain unfavorable apps installed on their device(s).
Curious as to what apps are being targeted? We’re happy you asked. Many of our readers are likely familiar with them, as they include popular package manager apps, jailbreak apps, and even TrollStore, among others:
- opa334.TrollStore
- coolstar.SileoStore
- opa334.Dopamine.roothide
- roothide.manager
- cokepokes.AppStorePlus
- willy.Zebra
- opa334.Dopamine
- kahsooa.piqwkk.dummy
The blog post goes on to explain that the banking apps used obfuscation through XOR encryption to try and hide their dirty trick from the App Store review process, which seems to have worked for the moment. But now that they’ve been exposed, experts agree that these apps violate Apple’s App Store guidelines, and they could face app removal until the issue at hand is fixed.
Here’s an interesting excerpt:
According to Apple’s App Store Review Guidelines (Sections 2.5.1 and Legal 5), using non-public (private) APIs or hidden system calls without explicit user consent breaches data transparency, user control, and security standards, undermining user trust.
Specifically, Guideline 2.5.1 mandates that apps “may only use public APIs” and must utilize these APIs strictly for their intended purposes. Any use of internal, undisclosed system frameworks or functions will result in app rejection or removal. Apple enforces these guidelines to maintain app stability, protect user privacy, and uphold platform security.
Beyond just compliance, abusing private APIs can be a security and privacy issue. Apple’s rules exist partly to prevent apps from accessing data or capabilities users didn’t consent to. For example, using hidden system calls to probe a device’s state can violate user privacy and platform security. Scanning a user’s device for other installed apps without permission is explicitly disallowed and undermines user trust.
Attempting to bypass iOS sandbox restrictions or gather unauthorized data (e.g., installed app lists) is a major violation, raising serious red flags for Apple and security-conscious users. Such practices risk app bans or removal from the App Store, potentially impacting millions of bank customers.
So as it turns out, yes, some banking apps were in fact using a sandbox escape to see if users were either jailbroken or using the TrollStore perma-signing utility, and they were wrong to do so. They not only breached App Store policy, but they snooped on users without their consent, damaging their image in the process.
It will be interesting to see how Apple handles the newfangled findings. After all, while Apple hates jailbreaking and TrollStore in general, the company also cannot allow bold App Store violations like this from third-party companies to stand.
What are your thoughts on the situation? Let us know in the comments section down below.