We’ve been seeing a lot of scam apps in the App Store lately, which try to trick users into purchasing expensive subscriptions or products, we’ve also seen apps that track and transmit the user’s location without their consent. Today, I want to talk about an app that’s using iOS devices to perform work for other users, without the device owner’s consent.
The app, named “Parcels – Track Your Packages” (not to be confused with the popular “Parcel” app) has a 4.7-star rating in the App Store and is distributed by Russian developer Pavel Tisunov. It’s free with an optional subscription of $3.49/year or $0.99/month. The same app is also available in the Google Play store, but I haven’t investigated that app.
Upon launch, the app immediately starts sending requests to its server, asking for packages to track, even tho I haven’t registered any packages yet. The server then sends information to the app about packages from other users for it to track. This information includes the tracking number and details about which courier to send the request to, with technical details such as the URL for the courier’s API or website, request headers, etc.
The app will then perform the tracking by sending a request to the courier’s API or website as specified by the instruction it received from the server, sending the results to the app’s server so it can display them to the user who’s actually registered that package for tracking.
Essentially, instead of running the work of tracking packages server-side, the app is leveraging the bandwidth, energy and processing power of its users to access courier websites, get the changes to delivery status and send that to other users. This type of behavior can be classified as a botnet, since every device which has this app installed basically becomes a bot, tracking packages for other users of the app, even if the user of the current device hasn’t registered any packages to be tracked.
There are many reasons the developer may have chosen to use this tactic. I don’t believe the cost of running servers to be the main one at play here, since servers these days are quite affordable and the app needs a server to command the botnet (a task that can be even more server-intensive than tracking packages).
What I do think is happening is that the developer of the app is trying to avoid rate-limiting that can be applied by API vendors. That rate-limiting usually limits the number of API calls that can be made to the courier’s service in a certain period of time, based on either the API key that’s used to make the call or the IP of the client making the call. Since this app is distributing its API calls between devices all over the world, it’s impossible to rate-limit them based on IP address.
Also, many of the couriers the app supports don’t have a proper API, so it’s resorting to website scraping, a technique that downloads the normal website users would access to track their packages, then reads the results and interprets them so the tracking data can later be shown in the app.
Website scraping is not allowed by many websites, which can block requests from an IP address they believe is performing constant scraping. Again, server IP addresses don’t change frequently, but given the app is using its users’ devices to perform the scraping, it’s impossible for the websites to block based on IP address.
If the app became hugely popular, it could even be used as a means to perform DDoS attacks against websites by leveraging this mechanism which allows the developer to instruct every device with the app installed to visit a target URL. It could also be used to falsely “click” on ads.
The mechanism could also be exploited by a man-in-the-middle attack since the app is not using HTTPS or any type of validation on the instructions it receives. Again: the app is transmitting information about packages which don’t belong to you, using your device, in plain text.
That’s all pretty bad, but then there’s the fact that every device which has this app installed is having its bandwidth, performance and battery life degraded to perform work for other users, without explicit consent from the user who’s got the app installed.
This practice violates Apple’s App Review Guidelines section 2.4.2 which states that apps “may not run unrelated background processes”. Even though the app is performing package tracking, which is the intended functionality, it’s doing so on my device for other users, that’s definitely unrelated to the task I downloaded the app for. At the time of writing, there’s no mention of this practice in the app’s description or privacy policy.
Speaking of privacy, this practice is also a breach of privacy because any user with the ability to run a proxy on their device will have access to tracking numbers from other users of the app, without their consent. I left the app running on my test device for an hour and it performed 52 tracking requests for packages which were not mine. But I now have those tracking numbers because I was looking at what the app was doing with the proxy.
The person who reported this app to me has contacted the App Store about it and hasn’t received any response yet. We’ve also reported it to Apple and we’ll update this article when we get a response.