Technical Analysis – Improper Use of Private iOS APIs in Vietnamese Banking Apps
a year ago
- #iOS
- #Privacy
- #Banking
- BIDV and Agribank mobile banking apps exploit private iOS API to detect installed apps on users' devices.
- The private API SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions is used as a side channel to verify app existence through error codes.
- The apps employ weak XOR encryption to obfuscate API names and bundle identifiers, making detection harder.
- This behavior violates Apple’s App Store policies, risking app removal and impacting millions of users.
- The issue is unrelated to BShield or Verichains, which adhere to legitimate detection techniques.
- Apple’s guidelines prohibit private API use to protect user privacy and platform security.
- The exploit qualifies for a $5,000 bug bounty under Apple’s Security Bounty Program.