Main image of article Mac App Store Under Renewed Scrutiny Ahead of Mojave Launch
Activity on the Mac App Store is raising eyebrows at exactly the wrong time. As Apple prepares to launch macOS Mojave this Fall, it's also prepping a new Mac App Store. This redesign, which echoes the iOS App Store, is positioned more as a dynamic marketplace for software than "just" a repository for apps. But just as this changeover is taking place, Apple is in a pickle. The fourth-most-popular paid app, Adware Doctor, was discovered to have been swiping users' browser histories across Chrome, Safari, and Firefox – and then sending the data to a Chinese server. Following widespread reports of this nefarious activity, Apple removed the app. That didn't end things, however. Developer account ‘Trend Micro, Inc.’ was found to be performing the same browser-history-sniping tasks with its own apps. In addition, the developers' apps were also peeking into the data on other Mac apps. Those apps were yanked from the Mac App Store. The issue isn’t an app sneaking past the review process – it’s the process itself. As Threatpost notes, Adware Doctor raised red flags for the careful observer:
The app is currently listed on Apple’s Mac App Store as the company’s fourth-highest “Top Paid” software programs, behind Final Cut Pro, Magnet and Logic Pro X. It is also the store’s No. 1 paid utility. The app currently costs $4.99, is validly signed by Apple, and its listing on the Mac App Store is accompanied a majority of lavishly positive [likely fake] five-star reviews.
It was an extremely profitable app with a ton of glowing reviews, which should have at least raised eyebrows at Apple. We know fake reviews alone can (and will) get you banned from Apple’s ecosystem. We know developers don’t feel they need the Mac App Store. Surveys show developers don’t look kindly on it, and those who have removed their apps from the desktop app portal don’t see a significant dip in income. In announcing the new Mac App Store, Apple also bragged about launch partners from both ends of the spectrum. Large companies can take note of Adobe and Microsoft's presence in the Mac App Store, while BBEdit from Bare Bones Software and Panic’s Transmit are a beacon to the smaller developer houses and indies out there. Apple has made efforts to cull ‘zombie’ apps from the Mac App Store, and the new storefront allows for apps distributed elsewhere to be ‘notarized,’ which includes a malware check. All smart moves, but not enough for developers and companies who aren’t currently on the Mac App Store – precisely the crowd Apple is hoping to woo with its renewed efforts. We’re willing to say this "bad apps" event is a legacy issue – a holdover from the old way the Mac App Store worked. Apple hasn’t released an official statement on these apps, though, which is also a huge problem. It’s also unclear if there will be new Developer Account rules when the new Mac App Store launches, or if the aforementioned ‘notarization’ will help. It’s also unknown if Apple just doesn’t care. As ‘Marzipan’ apps loom for the desktop, which will allow app interoperability between iOS and macOS, we have to wonder if the Mac App Store will morph into the same must-have as the iOS App Store, provided the nature of software distribution for the iPhone and iPad. Remember, macOS is Apple’s only platform where users can download apps from outside Apple’s marketplace, but 'Marzipan' apps could boost its attractiveness. Speculatively, 'Marzipan' means the Mac App Store and apps written for Mac will fall under the same purview set as iOS, where malware and bad actors are almost always spotted early. Apple is also forcing developers to publish a privacy policy, which places onus on users to check what an app does with data before they use it. It’s a matter of trust, and Apple hasn’t done enough. A flashy redesign means nothing if developers don’t feel confident the playing field is even, and users think everything might have malware. If Apple can’t sew these weak points up posthaste, the new Mac App Store might be viewed as unreliable on launch.