CIQ store app (iOS) falsely shows settings from *wrong app*, when two apps are installed with similar settings definitions

> So what I am suggesting is that I think the issue you experienced is another similar bug, this time in iOS Connect IQ, when you see the list of your installed apps, you see Your App 1, Your App 2, you click on the 2nd, but because of the bug the Connect IQ opens the settings of the 1st app.

Except that I've only seen this happen when install a new app that is a clone (with settings) of an existing an app. I've installed a new app and seen settings for a completely unrelated app.

Furthermore, if I make changes to the new app's settings and save them, then the new app actually receives those settings, which means that at least for the purposes of saving settings, the Connect IQ app thinks that those settings are associated with the correct app.

I can still recreate the problem, and my observations pretty much the recreation procedure outlined in the bug report. If I have a chance, maybe I'll post a video, but for now you'll just have to take my word for it or try it yourself.

I use android but i have noticed multiple times in multiple Garmin android apps that Garmin have a problem dealing with lists. The best example is Connect IQ app: do some search with lots of results, then start to scroll down and try to remember the apps you see in the list. Continue to scroll down and you'll notice that the same apps are coming up again and again. So you'll see the apps like: a b c d e f g h d e f g h d e f g h...

I saw this also in Garmin Connect but I don't remember which screen (maybe badges?)

So what I am suggesting is that I think the issue you experienced is another similar bug, this time in iOS Connect IQ, when you see the list of your installed apps, you see Your App 1, Your App 2, you click on the 2nd, but because of the bug the Connect IQ opens the settings of the 1st app.

If you can still reproduce it, then can you upload a screen recording?

> (I never have been a fan of cloning, but that aside...)

Yes we talked about that, but I did it bc users asked for it. I think it's worse when some devs have dozens of a data field for different devices / functionality, although the device-specific clones will only really be a problem on store website, and I bet most normal users exclusively use the store app.

> Interesting bug where you seem to be able to affect settings from other apps.

This bug seems to affect what's displayed in the CIQ store app, but not the actual settings on the device, unless the user edits the "fake" settings in the CIQ app and saves them.

This seems to indicate that:

- Initially properties (related to settings) are null / non-existent on the device (as opposed to taking on the settings default values at the time of installation). I think this was probably explored years ago, but the question has come up a few times since then

- In this state, the device uses the real default settings whereas the CIQ store app may use "fake" settings values from a different app

- If the user launches the app before changing settings via the CIQ store app, then the real defaults will take effecf

- If the users changes settings via the CIQ store app before launching the app, then the modified "fake" settings will take effect

I think the privacy/security implications of this bug are fairly bad. If it's really just a matter of having the same property key as a different app, then one app could potentially "steal" data (in the form of settings) from another app, whether intentional or not. After all, security was cited as a reason that even apps from the same dev are not allowed to share data.

e.g. Imagine a scenario where a bad actor makes a malicious app that has innocuous settings related to the app itself, but it also has properties/settings with key names like "username", "password", "unlock_code", etc which may correlate to sensitive settings related to other apps. The bad actor can add enough legit settings so that the bad settings are at the bottom of the page. Since the Save button is at the top of the page, the user wouldn't need to scroll to the bottom of the page to save settings, so they wouldn't necessarily notice that settings from another app had been captured by this one. The bad actor could also designate all of the malicious fields as "password" fields which would make it harder for the user to realize that data is being "stolen".

Ofc the mitigating factors are:

- This only works before the user launches the app for the first time after installation (but if they just installed the app, they may want to set it up immediately)

- The user might notice that there are suspicious fields which don't seem related to the app (but ofc the bad actor could try to use innocuous labels, or to have functionality which overlaps with the stuff they're trying to steal)

- The bad actor has to guess the names of app keys they want to steal (unless they're targeted a non music app that supports older devices, in which case they can just copy the app PRG off the older device and analyze it.)

(I never have been a fan of cloning, but that aside...)

Interesting bug where you seem to be able to affect settings from other apps. My guess is that the same property name could be a key factor. You could extend your test by making a new app that just have a selection of your properties and see whether the issue manifests.