Comment by Bjartr
10 hours ago
Based on that I'd guess either a meditation app company has figured out how to circumvent a lot of controls put in place by Apple, or it's a bug on Apple's side
10 hours ago
Based on that I'd guess either a meditation app company has figured out how to circumvent a lot of controls put in place by Apple, or it's a bug on Apple's side
Yeah, I think the latter is more likely than the former. Perhaps a server side bug that's silently downloading the app on any device that's installed it previously?
But why this one specific app and no others?
Maybe it’s Apple’s equivalent of Guru Meditation.
Maybe Apple typo’d an app id incorrectly for some iOS core app thing in 26.4.2 and the one-character error is this app? I don’t know that anyone’s done a ‘likelihood of collision’ analysis on appstore unique IDs yet. Certainly I could see iOS having a “must be on the device” system set up for apps like Phone and Settings that has a last-ditch of reinstalling it if somehow deleted. Would be especially interesting if some core app that can’t normally be deleted is currently unprotected (back up your device locally first!).
Right, that's what confuses me the most. I was very surprised to find the reddit thread showing that other people are also having this specific app silently installed on their devices.
Headspace leaves health data, that's where my first guess would be
My guess is it's a bug on the App Store side which will actually hurt Headspace in the long run. If this was a casino app I'd feel a bit differently, but I'd be shocked if someone at Headspace did this deliberately.
I'm trying to imagine the headspace of a user who deletes an app, only to see it pop back the next morning. Probably not a very relaxing experience :)
Or it is a mandated backdoor, and someone internally objected, and made it easier to exploit than it should be, or leaked how to exploit it?
> mandated backdoor
Probably one from the repository of backdoors "accidentally" introduced or "never" discovered.
The mechanism's there, just needs to be woven with other exploits.
[dead]