It’s pretty common for apps to load some external content from a server to show to the user. This is useful in part because it allows you to update the content without going through the slow app review process. Potentially, if your backend got hacked, the hackers could change this content.
You can definitely serve content like that from your server and have the app render it (no website required). The review process would not block that.
You could also serve a change like this with an OTA update, again no app store review required, which ios and android allow (as long as you don't fundamentally change the app, and even then they could only catch that retroactively.
Not sure if they'd care if you load it in a webview as long as the UX wasn't substantially different. I seem to recall getting bounced to web auth flows pretty often.
A couple quick searches for “ftx app react native” makes me believe at least part of their app, if not the entire thing, is react native (it’s possible to have a hybrid native/react native app). It’s totally possible and quite common to be able to load the JavaScript bundle from a remote server. Microsoft has a service to do exactly that called Codepush. Expo also has a service and it’s not very complex to roll your own.
How a react native app works is all the native code is compiled into a “shell” of an app and then a JavaScript bundle is loaded (it can be shipped in the binary or loaded from a server) and that’s where all the layout and logic lives. Not only is it possible to make small changes, you could conceivably ship an entirely new app this way as long as you don’t need to add any new native dependencies. Of course the App Store/Play Store don’t allow “major” changes, but they have no real way of knowing.
In Apple’s case, you need to provide them with a login for them to review the app (not sure about the play store, but possibly them too). It would be trivially to load one bundle for Apple and another for everyone else. If you had control of the backend you could even target specific accounts and load a compromised bundle with no one else the wiser.
It’s fairly easy to strip out the JS bundle to examen, so I’d say targeted attacks would be the smart way to do it. It would give you a lot of time before people caught on vs compromising everyone. I’m sure there’s folks out there already tearing into the js bundle looking for shenanigans.
The update box is clearly based on their pre existing popup used for things like 2FA.
Could this popup have been modified with new text and linked to a new malicious site without an app update on ios or android?
Or, could the popup only function if it was already coded into the app waiting to be activated? Meaning premeditated