In this case it appears to be a public Firebase bucket; shutting down the app wouldn't help. Quite possibly access to Firebase was mediated through a backend service and Apple couldn't validate the security of the unknown bucket anyway.

▲

tonymet 5 days ago | parent | next [-]

Also about validating the backends, apple has the resources to provide a level of auditing over the common backends. S3, Firebase -- perhaps the top 5. It's easy to provide apple with limited access to query backend metadata and confirm common misconfigurations.

▲

tonymet 5 days ago | parent | prev [-]

I partially agree. At least the threat of app shutdown would be enough consequence for the publisher to take things seriously

▲

benlivengood 5 days ago | parent [-]

I think iOS and Android already holds the threat of app store removal over developers' heads.

Presumably the risk/reward still favors risky practices.

	▲	tonymet 5 days ago \| parent [-]
		but it's not contingent on backend violations, only frontend ones. I'm proposing decoupled ways for app store validation to audit backend security.