News broke last week that Adware Doctor, an ad-blocker sold in the Mac App Store, quietly stole its users' browser histories and sent them to a server in China. This malicious data collection was independently confirmed by two researchers and promptly disclosed to Apple but remained in the virtual store, seemingly until it started making headlines. Over the weekend, the saga continued with revelations that several other apps in the Mac App Store were doing the same thing.
A report said to be published by cybersecurity vendor Trend Micro says people had been complaining that Dr. Unarchiver, Dr. Cleaner and other utilities sold in the Mac App Store were exfiltrating their browser history since at least December 2017 (opens in new tab). Nobody seemed to pay much attention to those reports until Adware Doctor's scandal.
Every app in this group--or should it be a "practice" since they're all doctors?--appeared to steal data in the same way. They looked like legitimate applications, with several of them making best-selling apps lists, then they'd work their way around the sandboxing Apple uses to prevent apps from accessing data they shouldn't. From there, all they had to do was gather and send the browser history.
Of course, this isn't supposed to happen. The whole point of the Mac App Store, much like the iOS App Store, Google's Play Store or their equivalents, is to assure consumers that software downloaded from those marketplaces is safe. Store owners are supposed to vet every app they sell to make sure they aren't secretly gathering personal information.
These problems raise serious questions about the security of software downloaded from the Mac App Store. Apple missed all of these problems while it was vetting these utilities, and the apps' malicious activities largely went unnoticed despite their popularity. Even after security researchers investigated these claims, confirmed their validity and reported the issues to Apple, it took more than a month for Adware Doctor to be removed.
There is some good news: Apple has already removed the other apps named this weekend. The question is whether or not significant media attention will be required to reveal other bad actors in the Mac App Store too, or if this series of events will change the vetting process.