5

Recently I heard quite a few rumors (or true stories?) on how some Chinese iOS developers succeeded in fooling the App Store private API checking system and have their dynamically-calling-private-api apps approved and available in the app store.

So far those stories focused on WebKit private APIs. They stated that they succeeded in getting access to the iPhone user's personal data by calling those private WebKit APIs.

I have to say I'm confused. My question:

  • Is their statement logical? (i.e. Is it possible to getting access to the user's data through WebKit private API?)

My thinking on possible ways to achieve the task.

  • through the performSelector: method
  • through NSInvocation
  • through this so-called almighty and mysterious reflection thing

I don't think it's possible myself. But my iOS experience is limited so I'm not that confident in my judgement. Any suggestions are highly welcome. :)

Victor Ronin
  • 22,758
  • 18
  • 92
  • 184
Di Wu
  • 6,436
  • 3
  • 35
  • 51
  • At the end everything is possible with the right amount of research etc – Daniel Feb 09 '12 at 17:07
  • 1
    Unfortunately, all we know about the way that Apple checks for private API usage is anecdotal, since they do not disclose their process for doing so. Any workarounds suggested here might break as soon as Apple changes their review process. – Brad Larson Feb 09 '12 at 17:46
  • 2
    Accessing private API has never been a problem. For example, your code contains scrambled symbol names, it unscrambles them at runtime, looks up their addresses using the dynamic linker, then calls the functions/methods by address. That said, you'd better know what you're doing, why you're doing it and how to do that _as safely as possible_. It's just bad practice, period. Using private API should be avoided at all costs. – Costique Feb 09 '12 at 18:18
  • @Costique Please elaborate and I will accept your answer. Thanks! – Di Wu Feb 10 '12 at 02:41

1 Answers1

5

To answer your question, yes their statement is logical. You would likely be able to access user's personal data through a number of private APIs. You don't mention what personal information, so it's not possible to say definitively.

My comment on your thinking about ways to do this: don't, it's not worth the risk to your reputation as a developer, or the client's reputation if this is a work for hire, or the status of your developer account if you're trying to circumvent/violate the terms of service you agreed to with Apple.

picciano
  • 22,341
  • 9
  • 69
  • 82