Apple has rules and regulations in place for all sorts of things, but especially for the App Store. Developers must follow those rules if they want to keep their app(s) in the digital storefront. Sometimes those apps only get discovered for bypassing the rules, either in big ways or small, only after the app’s been available for some time. (The App Store review process doesn’t always catch the offenders.)
Which appears to be the case with another app. The Verge was first to report on the situation, which involves Amazon and an app called Fakespot. That app, which also has extensions for web browsers, is designed to root out fake product reviews on Amazon. Basically, to help customers find authentic reviews for a product they might be interested in buying.
Amazon, and Fakespot, both confirmed to the publication that Amazon sent a takedown request regarding the iOS app to Apple. And Apple apparently decided the app should be removed. It no longer has an app for the iPhone or iPad at the time of publication.
Amazon said that Fakespot’s latest update made it possible for it to “wrap” Amazon’s website without explicit permission from Amazon. The company says that this means it’s theoretically possible this could be exploited to hijack and steal customer user data. Perhaps unsurprisingly, Apple didn’t inform Fakespot why it removed the app.
As noted in the original report, the latest version of the app was released on June 3. So it’s been available for a bit of time already before the removal. But that’s not because Amazon wasn’t trying to get the app removed right after the update. According to Fakespot, Amazon filed the initital takedown request in mid-June.
Fakespot’s founder Saoud Khalifah had this to say on Apple’s actions following the request:
Apple hasn’t even given us the ability to solve this. We just dedicated months of resources and time and money into this app. We just dedicated months of resources and time and money into this app.
As for which App Store guideline Amazon believes Fakespot violated? That’s apparently rule 5.2.2, which reads:
5.2.2 Third-Party Sites/Services: If your app uses, accesses, monetizes access to, or displays content from a third-party service, ensure that you are specifically permitted to do so under the service’s terms of use. Authorization must be provided upon request.
It goes beyond that, though. As mentioned above, Fakespot’s app digs into the Amazon website. According to the giant retailer, this means the app “injects code into its website, opening up an attack vector and putting customer data (including email, addresses, credit card info, and your browser history) at risk.” For its part, though, Amazon does not say whether or not Fakespot is actually obtaining, or, more importantly, using that information it can theoretically obtain.
Here’s Amazon’s statement on the matter:
The app in question provides customers with misleading information about our sellers and their products, harms our sellers’ businesses, and creates potential security risks. We appreciate Apple’s review of this app against its Appstore guidelines.
Khalifah says that while the Fakespot app does indeed inject code to properly display Fakespot’s own scores, he says there is no vulnerability in place. He also points out that Amazon does not have an issue with coupon apps, which effectively do the same thing — but obviously aren’t all about making fake reviews easily viewable to potential customers.
Fakespot’s founder adds:
Amazon is willing to bully little companies like ours that showcase the cracks in their company.
Khalifah notes that Fakespot for iOS gathered up over 150,000 installs without any marketing. This suggests that people were flocking to that particular app, rather than leaning into Amazon’s official app. As for the Android app? No comment from Amazon in that regard. But, as noted in the original report, that one hasn’t been updated since 2019, so it might not have the same potential issue.