[mrsaint]

How could Apple properly review something like this? Isn't it one of Apple's selling pitches that they'd review each app for malicious activity before it makes it to the app store?

[valleyer]

So, a tricky piece here is that this appears to be behavior of the TikTok web site. Obviously Apple makes no attempt (nor claim) to review the behavior of every web site accessible in Safari from an iPhone. And other native apps can embed WebKit-based web views into their apps.

The good news is that the scope of "malicious activity" is (at least in theory) much smaller when you constrain it to what web sites can do, as opposed to the scope of what can be done by executing ARM instructions and making syscalls.

The bad news is that the scope of "things web sites can do" keeps growing and is fingerprintable.

[emsy]

Apple has previously banned Apps for their backend content if they didn't like it. It's just that TikTok is too big and Apple is full of shit.

[lazyeye]

Apple only cares "really deeply" about ethics where there is no financial penalty attached. China would be an obvious exception to this.

https://www.theinformation.com/articles/facing-hostile-chine...

Note: This is the same as having no ethics.

[angulardragon03]

> the code that is deployed on TikTok's _website_

This isn't regarding the app at all, which is likely not as heavily obfuscated as this (mostly because you can't just "view source" on an app).

[Mindwipe]

> How could Apple properly review something like this? Isn't it one of Apple's selling pitches that they'd review each app for malicious activity before it makes it to the app store?

They couldn't. Apple does not perform any meaningful review of apps for malicious activity, do they do it for rent seeking.

[perttir]

I used to develop Apache Cordova application that had strong obfuscation using javascript-obfuscator. Apple didn't care.

[pjmlp]

They can't and most likely would kick the app out of the store, hence why this is the Website code.