To bypass the App Store's review process, the developer is said to have used React Native and CodePush to update the app piecemeal.

Apple currently has a strict review process for apps on the App Store, which is considered many times more difficult than Google's Play Store. However, some dubious developers still have ways to circumvent the regulations.

Although there were suspicions before, this issue began to be analyzed in depth by 9to5mac after last month, the site discovered that the Collect Cards: Store box app had existed on the app store for more than a year. The description did not mention much about the features, the screenshots were of a simple interface, showing that it was a photo and video management software.

But in reality, when downloaded, the app turned into a pirated streaming platform, with content from Netflix, Disney+, Amazon Prime Video, HBO Max, and even Apple TV+. Things only got attention when the software entered the top 2 most downloaded free applications on the App Store in Brazil.

Collect Cards app interface: Store box on App Store, inside is pirated content.

Initially, the developer behind it was said to have used Geofencing — a technology that uses geolocation to identify or limit a specific area — to prevent anyone at Apple from seeing the app’s true capabilities, thereby bypassing the censorship. However, the story is more complicated.

When analyzing the source code of Collect Cards: Store box and several similar apps on the App Store, 9to5mac’s experts found that most of them shared the same codebase even when distributed by different developer accounts. They were built on React Native, a cross-platform system based on java script, and used Microsoft’s CodePush SDK, which allows developers to update parts of the app without having to submit a new build to the App Store.

Using React Native and CodePush does not violate the App Store’s rules. In fact, many popular apps do so. However, malicious developers use this technology to bypass the App Store review process.

The developer then uses a file specifically for pirated streaming software to update, which is often shared publicly on platforms like Github. A specific API is used to check the location of the device based on the IP address and return data such as country, region, city, and even estimated longitude and latitude.

When the app is first opened, it waits a few seconds to call the geolocation API. This way, the App Store's automated review process will not see anything unusual in the app's code. Based on the geolocation, the app will not reveal its hidden interface. In other words, after Apple approves the app with basic functionality, the developer will use CodePush to update whatever they want. Finally, the app will run its real functionality in "safe" locations.

Following 9to5mac’s report, Apple removed the apps in question but declined to comment.

According to court documents released in 2021, the App Store review team now has more than 500 experts, who review more than 100,000 apps per week. Apple also implemented an automated review system before moving to a manual review process.