Password-pilfering app exposes weakness in iOS and Android vetting process
Highlighting crucial weaknesses in Apple’s and Google’s processes for admitting new titles into their competing app stores, both companies have ejected a third-party Instagram app after discovering it probably pilfered user passwords and pictures.
InstaAgent, as the app was called, marketed itself as a program that tracked people who visited a user’s Instagram account. It had between 100,000 and 500,000 downloads from Google’s Play Store and was in the top charts of the iOS App Store. But behind the scenes, an app developer said earlier this week, the app sent users’ Instagram login credentials to a server controlled by the InstaAgent developer. Google was the first to pull the app. Apple later followed.
According to a blog post published Thursday by the iOS developer: