Introduction
On March 27th, the Vietnamese information security community reported that two famous banking applications - BIDV SmartBanking and Agribank Plus - exploit a hidden iOS API to detect other apps installed on users' iPhones.
This behavior was first mentioned by @opa334, the developer of TrollStore, two days ago on infosec.exchange and subsequently referenced in a Facebook post by J2TEAM. The incident quickly caused a stir as it demonstrated a violation of Apple's policy and an invasion of user privacy.
[Rest of the translation follows the same professional and accurate approach, maintaining the technical terminology and preserving the structure of the original text]From the decoded chains, we noticed that this code is likely part of a module named 'VNPay Runtime Protection'. Returning to the processing code: The code works as follows: - Create metadata for constants stored in the data section. - Call swift_initStaticObject to initialize a static object, with the value stored in another location in the data section (in this case, the result will be a Swift String object). - Call RE_Decrypt_10233F108 to decrypt strings for further processing. This code can be simplified to v40 = dlopen(XOR_DECRYPT(X), 1), where X is an encoded string in the data section. For example: The code above is equivalent to calling the csops function from /usr/lib/libSystem.B.dylib: "/usr/lib/libSystem.B.dylib".csops(a1, a2, a3, a4); Similarly for other hidden APIs: ### Analysis of Hidden APIs to Retrieve Installed Application Information The code checks installed applications on the user's device by calling the hidden iOS API SBSLaunchApplicationWithIdentifier with the app's Bundle ID. Typically, developers launch applications through supported schemes. However, this API can directly launch any app if the calling app has an Apple-granted "Entitlement". Therefore, this hidden API can be used as a side-channel to verify the existence of an app through the returned error code. **Note: This SpringBoard API is a hidden API not officially provided by Apple, so using it violates App Store policy.** List of some apps checked: - org.coolstar.SileoStore - com.opa334.Dopamine.roothide - com.roothide.manager - com.cokepokes.AppStorePlus - xyz.willy.Zebra* - com.opa334.Dopamine - com.kahsooa.piqwkk.dummy Based on the error codes returned by the SBSLaunchApplicationWithIdentifier API: • If installed: returns a security policy error (error code 9) due to missing Apple certification. • If not installed: returns application not found (error code 7). This is a side-channel exploitation method using hidden iOS APIs to check whether an application is installed. This exploitation is performed in a class named VNPShieldBridgingManager. When the banking app exploits this API, the app's console log will display many error messages about attempting to launch other apps.
Discussion of Apple App Store Policy
According to Apple's App Store Review Guidelines (Section 2.5.1 and 5. Legal), using hidden, non-public (private) APIs without Apple's and user's approval violates data transparency standards, user control standards, and security standards, thereby undermining user trust.
Specifically, section 2.5.1 stipulates that applications "may only use public APIs" and must use them strictly according to their predefined purpose. Any use of undisclosed internal system frameworks or hidden functions will lead to application rejection or removal. Apple enforces these regulations to maintain application stability, protect user privacy, and ensure platform security.
Attempts to bypass iOS restrictions or collect unauthorized data (such as the list of installed applications) is a serious violation, causing serious warning signs for Apple and security-conscious users. These actions may result in the application being banned or removed from the App Store, affecting millions of bank customers.
In this analysis, we confirm that the private API SBSLaunchApplicationWithIdentifier can be used as a side channel to determine the existence of applications through returned error codes, operating on the latest iOS versions on new, non-jailbroken devices. According to Apple's Security Bounty Program, exploiting this vulnerability falls under the category of "Device attacks through user-installed applications - Unauthorized access to sensitive data" with a reward of $5,000.
Conclusion
Technical analysis reveals that two banking applications, BIDV SmartBanking (v5.2.62, updated on 14/03/2025) and Agribank Plus (v5.1.8, updated on 25/03/2025), developed by VNPay, use commercial application protection solutions DexProtector/Licel and Dexguard/iXGuard, along with a self-developed module potentially named "VNPay Runtime Protection" or "VNPShield".
This module exploits the side-channel vulnerability of a hidden iOS API SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions to identify applications installed by users on iPhone/iPad devices, while using encryption mechanisms to conceal these hidden API strings. According to Apple's Security Bounty Program, exploiting this side-channel vulnerability falls under the category of "Device attacks through user-installed applications - Unauthorized access to sensitive data" with a reward of $5,000.
These actions seriously violate Apple App Store policies and pose a significant risk if Apple bans or removes the applications, affecting millions of bank customers.
This incident is COMPLETELY unrelated to Verichains' BShield product. The primary purpose of the Mobile Shield solution is to proactively help protect banking applications from malware on user devices, preventing account takeovers, money theft, and personal data theft that frequently occur recently. Although exploiting N-day vulnerabilities or hidden APIs may partially help enhance malware detection, BShield does NOT apply such risky or dangerous technical methods, ensuring full compliance with Apple and Google app store policies, prioritizing user and enterprise security in the context of increasingly targeted threats to banking applications.
