The Mystery of the Phantom App Updates, Part 2

May 25 2020 by Jeff Johnson

As reported by MacRumors and other media outlets, Apple issued hundreds (thousands?) of third-party app updates yesterday in the iOS App Store (but apparently none in the Mac App Store). These were not new versions of the apps submitted by the developers but rather re-releases of the current versions, modified somehow by Apple. (Apple itself must code sign all apps for distribution in the App Store.) It has been speculated that these new releases are to fix a recent issue plaguing iOS users that prevents them from opening their installed apps. Instead, they see an alert that says "This app is no longer shared with you. To use it, you must buy it from the App Store."

These "phantom" app updates reminded me of a similar situation, a mystery that I wrote about a few years ago. Though I never solved that mystery, and I haven't solved this mystery either, I did find a very interesting clue that may be the key to solving the mystery. Unfortunately, the method I used for the previous investigation — iTunes 12.6 — is no longer useful now, because iOS App Store downloads in iTunes 12.6 have stopped working; presumably Apple shut down that particular service, which has been "unsupported" for quite some time. Fortunately, we have a new method of investigation: jailbreak! iPhone jailbreaks are currently readily available. I haven't jailbroken any of my own devices, and I have no plans to do it, because I'm primarily a Mac developer, but plenty of people out there have jailbroken, so I encourage them to investigate this mystery.

When I was re-reading my old blog post, a little detail struck me:

From the older version of Airfoil Satellite, the signing cert Apple iPhone OS Application Signing is valid from May 2008 to May 2020.

Could it be?? Since I keep voluminous backups, I was able to drag out that old ipa file and examine it again. Sure enough, the Apple iPhone OS Application Signing certificate expired on May 20, 2020 at 9:04:15 PM Central Daylight Time. I searched "social media", and the first reference I found to the current batch of "This app is no longer shared with you" errors was on May 21. What an incredible coincidence!

There are still elements of this mystery that are difficult to explain. I'm not sure why the earlier phantom updates occurred in 2017, and I don't know why Apple's own AirPort Utility was unaffected by this, although Apple has of course been known to grant itself exceptions that it doesn't grant to third-party developers. In any case, I think this certificate expiration date is tantalizing enough to warrant further investigation. Have at it, my friends! I'm just going to wait here eating my Scooby snacks.

Jeff Johnson (My apps, PayPal.Me)