Discussion

Some iPhone Apps Receive Mysterious Update 'From Apple'

swizz89: Is it a conspiracy, or just a bug in the app store? Nobody knows.

F30: In the past, things like this used to be done for signing certificate rollovers.

merelysounds: Speculation for fun: I always thought popular apps can use private apis or are handled in a special way by the OS itself. If yes, perhaps this is related.Then again I found no source for that - and some certificate rollover seems more likely.

NSUserDefaults: Could be a fix for per-device asset optimization that got messed up somehow.

Someone: [delayed]

gbil: I saw this the other day in a couple of apps, I've checked other apps and didn't have that, did a quick check on HN frontpage and saw nothing and said wth I'll update to see if something changes in the app or there is a message. Got nothing, and didn't think more about it but I'm not sure why, is it the "trust in the process" thing or what?

ting0: Has anyone ever done a proper security audit of VLC that is downloaded from the web? I don't trust it, and the fact that their releases on Github don't include binaries makes me trust it even less. Nobody is compiling VLC from source, and they don't provide any sort of provenance from the GH actions pipeline.

eecc: hmm, my money is on some actively used 0-day exploit that Apple is sealing shut before the CVE gets announced.By the looks of the app list, they seem to be apps and games that used to be popular and have fallen in disrepair and apps that are starved of maintenance attention.On the one hand it could be an exceptionally good example of "stewardship"; on the other hand, if this is true, what if authorities could later compel Apple to manipulate applications in some malign manner?

charcircuit: This sounds like a bug with the App Store app than a new update actually being installed.

ohhman11: This seems utterly pointless to worry about. You're fucked either way if you trust VLC.

bloudermilk: Care to elaborate?

kykat: All linux distros build VLC from source

iso1631: If you are worried about apple being compelled to do something, then they can do that at the OS level rather than something obvious in theI think this is simply updating some api call which no longer works properly, coupled with the terrible "changelogs" that are the norm on the app store. Someone down thread mentioned certificate rollover.A sensible changelog would be "update expired certificate", or "fix integration with ios 26.2", or "patch security issue"An actual changelog would be "we're bringing you ever more great new improvements"Here's the latest Audible one:> At Audible, we're always making updates and improvements to make your listening experience better.> If you're experiencing issues, please reach out to customer services. For feedback or suggestions contact us at audible.co.uk/helpThis is the same every time, because these changelogs are meaningless.

lapcat: The worst part of this is that Apple could simply post a note on its developer website explaining the updates, but Apple chooses silence and mystery instead.

lapcat: > By the looks of the app list, they seem to be apps and games that used to be popular and have fallen in disrepair and apps that are starved of maintenance attention.This is not true at all. In fact, most of the examples I've seen are frequently updated and recently updated apps, by the developers themselves, within the past week or so.

ohhman11: It's downright trivial to hide a backdoor in a codebase like this.

Cthulhu_: Well no, people do know. It's not a bug because it's clearly intentional. It's not a conspiracy because that's just vagueposting.

rascul: If Apple is distributing modified vlc binaries without releasing the source of the changes when requested, is that a potential legal problem?

Cthulhu_: As always, it depends; VLC "the iOS app" is not the same as VLC "the binary compiled from source". The article itself says they couldn't find any code changes, and the theories are that a certificate was updated.I don't believe an iOS distribution specific certificate falls under the license you're referring to, but I'm no expert on these matters.

Cthulhu_: Can you tell us about any prior or active incidents like that though?That is, I'm calling you out for fearmongering, for a possible what-if, but given how popular VLC is you'd think it would've happened / is actively happening already. And there is no evidence for that.