Twitter user Fennikami stirred up quite a storm by making the dylib code of AppValley and TweakBox public. Are these hacked app installers really safe? Let’s find out below.
What Fennikami posted on Reddit
Heya, so I decided to do some digging on AppValley’s Spotify++ IPA comparing that to original Spotify++ IPA from Julio Verne (the actual dev behind Spotify++).
AppValley team injected their own sketchy code into it.
AppValley’s IPA on the left, original IPA on the right. Files in red are these that are not in original IPA (hence the red \”X\” on the right, which means these files exist only in AppValley’s IPA).
See this “dylib.dylib” file on the left? That’s dynamic library, and that’s what developers (or hackers) use for code injection (among other sketchy things).
I currently don’t have a Mac (or Hackintosh, for that matter; will install macOS soon tho) so I can’t use dylib disassembler right now, but I tried to get at least some glance at what’s going on there.
And that’s what I found:
- \”Shenzhen Yunxun Technology Co., Ltd.\” certificate (the one AppValley uses) embedded into *.dylib for code signature reasons, probably.
- Bits of advertisement code (1)
- Bits of advertisement code (2)
- XCode user path (and username \”justin\”), header files (*.h), and dylib build references.
- Another \”justin\” username mention.
- Username \”justin\” is mentioned at least 14 times in this *.dylib.
So, as you can see, this dylib is mostly used for advertisement purposes (i. e. for injecting ads into AppValley’s apps), albeit there’s probably more to it (since I can’t reverse/disassemble entire dylib right now), and it was build by user named “justin” who keeps his builds and source code under “/Users/justin/Desktop/AppValley” (on macOS).
There’s a chance that this library could link to Apple’sprivate framework called IOSurface which allows it to record your entire screen without noticing you even when the app is running in background (this will get your app banned on App Store, but that’s the thing, it’s not App Store and there’s no moderation).
There’s a chance this app might collect your passwords. There’s a chance this app might do some sketchy s*it too.
So, what can I say?
Justin, it’s a really sketchy thing to do.
Draw your own conclusions, guys.
Fennikami also posted the following screenshots.
Fennikami warns AppValley and TweakBox users
If you use AppValley or TweakBox or used them before — you should remove every app you got from them, and then delete their profile at Settings — General — Profiles (under “Enterprise Apps”; if it’s there).
If you’re not on the latest iOS 11.4+ (or iOS 12 beta) — restore your iPhone via DFU mode (don’t reset it via Settings since you’ll have to enter your Apple ID password) and then change ALL of your passwords you ever used on your iPhone, and double-check your banking accounts.
If you believe your device was hacked or you need any type of support/help regarding AppValley and TweakBox (and other services too) — reach out to me via Reddit.
PMs/comments. Don’t hesitate to, I’ll reply ASAP.
Also, follow me on Twitter, I asked AppValley and TweakBox why they’re doing this sh*t there and I’ll keep you updated there too.
If you’re on iOS 11.2 — 11.3.1 (or any iOS version jailbreakable via iOS app) and you never used AppValley/TweakBox — stay away from ANY codesigning service, including AppValley and Tweakbox!
They might silently jailbreak your iPhone/iPad/iPod and gain full control over it. If you used AppValley/TweakBox and any other similar app — restore your device via DFU immediately and change all of your passwords you used on your device.
Tweakbox does the same thing, will make a similar post about it soon too.
- Update 1 – Just want to let you guys know — I backed up old AppValley and Tweakbox IPAs (before my post gained their attention and they had a chance to remove the shady code from their dylibs). PM me if you need one.
- Update 2 – So, AppValley just removed their tweet about my Reddit post. And TweakBox dude (the one who claimed they use safe ads) removed his comments too. Why would they?
- Update 3 – AppValley team just refused to give me their dylib source code so I can get it checked. And they also deleted that tweet. Shady af.
- Update 4 – TweakBox dev ItsNash0 won’t reply to my Reddit PM where I asked him to remove malicious dylibs from TweakBox apps.
- Update 5 – TweakBox team refused to give their dylib sources too.
Official AppValley and TweakBox statement regarding hacked dylibs
Colin, the administrator of AppValley, posted an official statement on behalf of AppValley and TweakBox regarding the hacked dylib fiasco.
Almost all of the popular installers, including AppValley and TweakBox, rely on advertisements to generate revenue.
Advertisement revenue allows them to cover hosting and server costs and keep the service free for everyone. For those who don’t know, enterprise certificates cost a bomb and allow the users to use signed apps without paying a penny.
Adding advertisements to apps involves manual injection of new code into existing applications and tweaks.
This method is perfectly safe and secure unless a developer decides to sneak in some shady code. Moreover, no service can hurt your iPhone or iPad without a powerful low-level exploit.
If you do not have a jailbreak, you shouldn’t worry too much about these hacked apps.
AppValley and TweakBox are tried-and-tested package managers and shouldn’t pose any threat to your device.
TutuApp and other Chinese installers do harvest user data through spyware so I suggest staying away from them for obvious reasons.
With that being said, the safest route is obviously to use paid signing services or jailbreak tweaks.
As always, don’t forget to perform your due diligence before you download a shiny new installer on your iPhone.
If you are still unsure which installers are safe, just drop a comment below.
For more sideloading news and updates, follow us on Twitter and Facebook.