TweakBox and AppValley may not be as safe as you think

Twitter user Fennikami stirred up quite a storm by making the dylib code of AppValley and TweakBox public. Are these hacked app installers really safe? Let’s find out below.

What Fennikami posted on Reddit

Heya, so I decided to do some digging on AppValley’s Spotify++ IPA comparing that to original Spotify++ IPA from Julio Verne (the actual dev behind Spotify++).

Well… F*CK.

AppValley team injected their own sketchy code into it.

AppValley’s IPA on the left, original IPA on the right. Files in red are these that are not in original IPA (hence the red \”X\” on the right, which means these files exist only in AppValley’s IPA).

See this “dylib.dylib” file on the left? That’s dynamic library, and that’s what developers (or hackers) use for code injection (among other sketchy things).

I currently don’t have a Mac (or Hackintosh, for that matter; will install macOS soon tho) so I can’t use dylib disassembler right now, but I tried to get at least some glance at what’s going on there.

And that’s what I found:

  • \”Shenzhen Yunxun Technology Co., Ltd.\” certificate (the one AppValley uses) embedded into *.dylib for code signature reasons, probably.
  • Bits of advertisement code (1)
  • Bits of advertisement code (2)
  • XCode user path (and username \”justin\”), header files (*.h), and dylib build references.
  • Another \”justin\” username mention.
  • Username \”justin\” is mentioned at least 14 times in this *.dylib.

So, as you can see, this dylib is mostly used for advertisement purposes (i. e. for injecting ads into AppValley’s apps), albeit there’s probably more to it (since I can’t reverse/disassemble entire dylib right now), and it was build by user named “justin” who keeps his builds and source code under “/Users/justin/Desktop/AppValley” (on macOS).

There’s a chance that this library could link to Apple’sprivate framework called IOSurface which allows it to record your entire screen without noticing you even when the app is running in background (this will get your app banned on App Store, but that’s the thing, it’s not App Store and there’s no moderation).

There’s a chance this app might collect your passwords. There’s a chance this app might do some sketchy s*it too.

So, what can I say?

Justin, it’s a really sketchy thing to do.

Draw your own conclusions, guys.

Fennikami also posted the following screenshots.

Fennikami warns AppValley and TweakBox users

If you use AppValley or TweakBox or used them before — you should remove every app you got from them, and then delete their profile at Settings — General — Profiles (under “Enterprise Apps”; if it’s there).

If you’re not on the latest iOS 11.4+ (or iOS 12 beta) — restore your iPhone via DFU mode (don’t reset it via Settings since you’ll have to enter your Apple ID password) and then change ALL of your passwords you ever used on your iPhone, and double-check your banking accounts.

If you believe your device was hacked or you need any type of support/help regarding AppValley and TweakBox (and other services too) — reach out to me via Reddit.

PMs/comments. Don’t hesitate to, I’ll reply ASAP.

Also, follow me on Twitter, I asked AppValley and TweakBox why they’re doing this sh*t there and I’ll keep you updated there too.

If you’re on iOS 11.2 — 11.3.1 (or any iOS version jailbreakable via iOS app) and you never used AppValley/TweakBox — stay away from ANY codesigning service, including AppValley and Tweakbox!

They might silently jailbreak your iPhone/iPad/iPod and gain full control over it. If you used AppValley/TweakBox and any other similar app — restore your device via DFU immediately and change all of your passwords you used on your device.

Tweakbox does the same thing, will make a similar post about it soon too.

  • Update 1 – Just want to let you guys know — I backed up old AppValley and Tweakbox IPAs (before my post gained their attention and they had a chance to remove the shady code from their dylibs). PM me if you need one.
  • Update 2 – So, AppValley just removed their tweet about my Reddit post. And TweakBox dude (the one who claimed they use safe ads) removed his comments too. Why would they?
  • Update 3 – AppValley team just refused to give me their dylib source code so I can get it checked. And they also deleted that tweet. Shady af.
  • Update 4 –  TweakBox dev ItsNash0 won’t reply to my Reddit PM where I asked him to remove malicious dylibs from TweakBox apps.
  • Update 5 – TweakBox team refused to give their dylib sources too.

Official AppValley and TweakBox statement regarding hacked dylibs 

Colin, the administrator of AppValley, posted an official statement on behalf of AppValley and TweakBox regarding the hacked dylib fiasco.

Almost all of the popular installers, including AppValley and TweakBox, rely on advertisements to generate revenue.

Advertisement revenue allows them to cover hosting and server costs and keep the service free for everyone. For those who don’t know, enterprise certificates cost a bomb and allow the users to use signed apps without paying a penny.

Adding advertisements to apps involves manual injection of new code into existing applications and tweaks.

This method is perfectly safe and secure unless a developer decides to sneak in some shady code. Moreover, no service can hurt your iPhone or iPad without a powerful low-level exploit.

If you do not have a jailbreak, you shouldn’t worry too much about these hacked apps.

Our take

AppValley and TweakBox are tried-and-tested package managers and shouldn’t pose any threat to your device.

TutuApp and other Chinese installers do harvest user data through spyware so I suggest staying away from them for obvious reasons.

With that being said, the safest route is obviously to use paid signing services or jailbreak tweaks.

plus plus apps

If you already have a jailbreak, you can simply install Ext3nder Installer tweak and use it in conjunction with AppSync for all your signing needs.

As always, don’t forget to perform your due diligence before you download a shiny new installer on your iPhone.

If you are still unsure which installers are safe, just drop a comment below.

For more sideloading news and updates, follow us on Twitter and Facebook.

175 Comments

  1. Kaleb March 14, 2019
    • Gian March 14, 2019
  2. Scarlett reyes March 12, 2019
    • Gian March 12, 2019
  3. Arelle lim March 9, 2019
    • Arelle lim March 9, 2019
      • Gian March 9, 2019
    • Gian March 9, 2019
  4. Neal March 3, 2019
    • Gian March 9, 2019
  5. unsee February 28, 2019
    • Gian February 28, 2019
  6. Jose February 20, 2019
    • Gian February 22, 2019
  7. Bob February 19, 2019
    • Gian February 22, 2019
  8. Raminder Singh February 12, 2019
    • Gian February 13, 2019
  9. Danny :) January 26, 2019
    • Gian January 26, 2019
      • Lorraine January 29, 2019
        • Gian January 29, 2019
  10. Ben January 24, 2019
    • Gian January 26, 2019
  11. Sarah January 20, 2019
  12. Sarah January 20, 2019
  13. Sarah January 20, 2019
  14. Sarah January 20, 2019
    • Anonymous January 24, 2019
    • Maxwell F February 10, 2019
  15. Sav January 20, 2019
    • Gian January 22, 2019
  16. ConfusingMaster January 19, 2019
    • Gian January 22, 2019
  17. Kyle January 19, 2019
  18. Kyle January 14, 2019
    • Gian January 14, 2019
      • Sara January 21, 2019
        • Gian January 22, 2019
          • Sarah January 23, 2019
          • Gian January 26, 2019
          • Sara January 24, 2019
          • Gian January 26, 2019
  19. Anonymous January 12, 2019
    • Gian January 14, 2019
  20. mts January 10, 2019
    • Gian January 11, 2019
  21. Brian December 19, 2018
    • Gian December 19, 2018
      • Holly January 10, 2019
  22. Nicolle December 16, 2018
    • Gian December 18, 2018
  23. Lili December 16, 2018
    • Gian December 18, 2018
  24. bogdan8775 December 14, 2018
    • Gian December 14, 2018
      • bogdan8775 December 17, 2018
        • Gian December 18, 2018
  25. Ann December 5, 2018
    • Gian December 6, 2018
      • Erica January 4, 2019
      • Erica January 4, 2019
        • Gian January 4, 2019
  26. Lara December 1, 2018
    • Gian December 6, 2018
  27. Leo December 1, 2018
    • Gian December 6, 2018
  28. Ann December 1, 2018
    • Gian December 6, 2018
  29. Cgizzle December 1, 2018
    • Gian December 6, 2018
  30. Ashlyn November 30, 2018
    • Gian December 6, 2018
  31. Micheal Angelo November 30, 2018
    • Gian December 6, 2018
  32. Curtis smith November 29, 2018
    • Gian December 6, 2018
  33. Chris November 29, 2018
    • Gian December 6, 2018
  34. Emely November 29, 2018
    • Gian December 6, 2018
  35. Alex Berman November 29, 2018
    • Gian December 6, 2018
  36. Kylie November 29, 2018
    • Gian December 6, 2018
  37. Aliya November 29, 2018
  38. Caitlin November 28, 2018
  39. Rahul Arya November 28, 2018
  40. Jaime November 28, 2018
  41. Stef November 28, 2018
  42. BangtanGirlXOXXOgot7 November 28, 2018
  43. Dave November 28, 2018
  44. T November 28, 2018
  45. T November 28, 2018
  46. Chris November 28, 2018
  47. DT November 28, 2018
    • Gian December 6, 2018
  48. Anthony Weng November 26, 2018
  49. Ally November 24, 2018
    • Gian December 6, 2018
  50. Hazel November 22, 2018
    • Gian December 6, 2018
  51. confused November 16, 2018
    • Gian December 6, 2018
  52. Sofia November 16, 2018
    • Gian November 16, 2018
      • Lisa November 30, 2018
        • Gian December 6, 2018
  53. John November 14, 2018
    • Gian November 15, 2018
  54. concerned ios user November 11, 2018
    • Gian November 12, 2018
      • Greg November 16, 2018
        • Gian November 16, 2018
  55. Leah November 10, 2018
    • Gian November 10, 2018
  56. Ada November 6, 2018
    • Gian November 6, 2018
      • Ada November 8, 2018
        • Gian November 8, 2018
  57. fleur November 3, 2018
    • Gian November 4, 2018
  58. Aaron October 22, 2018
    • Gian October 22, 2018
  59. m October 16, 2018
    • Gian October 17, 2018
  60. clary October 14, 2018
    • Gian October 14, 2018
      • Alex Berman November 29, 2018
        • Gian December 6, 2018
  61. Mae October 11, 2018
    • Gian October 11, 2018
  62. Osy October 9, 2018
  63. Osy October 9, 2018
    • Gian October 9, 2018
      • Lili December 16, 2018
        • Gian December 18, 2018
  64. Hoo October 3, 2018
    • Gian October 6, 2018
      • Tigre November 28, 2018
  65. anonymous September 26, 2018
    • Gian September 27, 2018
      • Aya October 3, 2018
        • Gian October 6, 2018
    • Phyren October 13, 2018
      • cooldude123 October 16, 2018
  66. Felipe September 22, 2018
    • Gian September 22, 2018
  67. Lee September 16, 2018
    • Gian September 16, 2018
  68. Harris September 7, 2018
    • Gian September 7, 2018
  69. Danny Boi September 5, 2018
    • Gian September 5, 2018
  70. Tingspain August 26, 2018
    • Gian August 26, 2018
      • Tingspain August 26, 2018
        • Gian August 26, 2018
          • Tingspain August 26, 2018
          • Gian August 27, 2018
  71. Anon August 21, 2018
    • Gian August 21, 2018
  72. N3mo August 15, 2018
    • Gian August 16, 2018
  73. Mark August 8, 2018
    • iOS Expert August 8, 2018
  74. Kenneth August 6, 2018
    • iOS Expert August 7, 2018
  75. Lia August 2, 2018
    • iOS Expert August 2, 2018
      • Lia August 6, 2018
        • iOS Expert August 6, 2018
  76. Frank June 25, 2018
    • iOS Expert June 25, 2018

Leave a Reply