Is Icon Themer shortcut a security concern or just harmless?
At this point, I’m sure you have come across the cool iOS 14 home screens with custom widgets and matching custom app icons. I even wrote a simple walkthrough on how to use Icon Themer to create those custom app icons. However, there has been a lot of question being asked. Is Icon Themer shortcut a security concern? Or is it really a harmless fun way to customise your iPhone home screen?
Common security concerns of the Icon Themer shortcut
It is a good thing that the details of the Icon Themer shortcut is completely open. Nothing is hidden! You can literally open it up and see what it does. In this article, I will walk through the key parts of the shortcut and address the common security concerns of the Icon Themer shortcut:-
- Does it expose remote access through the use of iOS profiles?
- What external connection is made by the shortcut?
- Are photos getting sent to an external server?
- Does Icon Themer send your personal data out of your device?
Read on and find out more!
Dissecting the Icon Themer Shortcut
I am writing this post based on Icon Themer shortcut version 0.4.4. I will try to update the article if there are major changes to newer versions Icon Themer shortcut for security concerns.
1. Opening the Profiles settings
The first URL that is formed and opened in the Icon Themer shortcut is to the Profiles settings under General settings. The script first checks if the shortcut input has any value at all. If it does, it will open up the Profiles page. This is what the last step of the shortcut does with the generated landing page. If you tap to run Icon Themer from the Shortcut app, the input will not have any value.
You can even test this prefs: url scheme yourself and see what it does. I think there is currently a bug with the shortcut as it is not able to open up the right settings page in my test. The same error is also seen when you complete the creation of a custom app icon using the Shortcut.
2. Getting the latest Icon Themer shortcut metadata
The next external connection is the shortcut getting the latest version of itself from RoutineHub. It does this by generating an inline script on a URL on-device. The shortcut then calls RoutineHub’s API endpoint that returns the metadata it needs. The shortcut does this to check if there is a newer version of itself.
Again, you can call the API endpoint yourself and see what it is that the shortcut is actually getting. Here, I use the Paw API testing app to call the https://routinehub.co/api/v1/shortcuts/6565/versions/latest API endpoint.
3. Updating the Icon Themer shortcut
As shown in the screenshot above, if a higher version number is found, the next external connection made by the shortcut is to generate the URL on-device and then download the latest version of itself. It does this with two external calls. The first is to RoutineHub to get the latest shortcut link on iCloud and the second is to download the latest version of the shortcut.
4. Searching the App with AppStore
When you run the Icon Themer shortcut, it will ask for the name of the app to search. What it does is to use the AppStore to search for the app in order to get the app’s bundle id as you can see from the two screenshots below.
The details of the Network action shows that it uses the GET Method to call the https://itunes.apple.com/lookup API endpoint. This is a legit API call and is nothing to be concerned.
5. Getting the custom icon artwork
This is a common one among those who thinks that the Icon Themer is a security concern. I have discovered instead that there is really nothing to worry about. It does all the necessary actions on your own device and does not send any of your photos to any external servers.
Firstly, if you choose to just use the default app icon, it takes the artwork from the AppStore and resizes it to 123×123 pixels and encodes it on your own device. It does not rely on an external server to process the icon at all.
If you then choose to use your own photos or icons from the Photos or Files apps, it also does it all on device. The shortcut will also need to get the necessary permissions before it can select any photos from the Photos or Files apps. You can see below that I’ve only given permissions to the Files app and not Photos.
Just as using the default App icons, the Icon Themer shortcut also resizes and encodes the icon locally on your device. Interestingly here, it resizes the icon to 144×144 pixels instead.
6. Getting the latest URL Schemes from Github
This is the last external connection that the shortcut would make. In this step, it makes a call to pull the latest set of URL Schemes that would be used for the web snippet of the custom app icon profile.
I again accessed the URL manually using Safari to show you that there is absolutely no security concerns here in this external network action.
7. Generating the Profile on device
This is pretty much the final step for the creation of the custom app icon.
The first part of the action is to generate the content of the custom profile, which is actually just a Web Clip. This shows you that the custom profile does nothing more than to execute the URL that is embedded within the profile. And this is also something you can inspect in the details of the profile in the Profiles settings page, both before and after installation of the profile.
In this section part of the script, it is now generating and encoding the configuration profile so that your iOS device will install it as a custom profile. All the screenshots above shows that this is being done completely local on your device.
8. Generating a web landing page to redirect to the Profiles settings page
This last step is purely for to give us a nice user experience. The HTML that is generated does nothing more than to include a URL that calls the shortcut with some content (see point #1 above) so that you can easily be redirected to the Profiles settings page to complete the installation of the custom profile. But as I mentioned, there seems to the a bug as of version 0.4.4 of Icon Themer. It will likely get fixed soon.
9. The details of the Icon Themer profiles
Lastly, when you review the details of the profiles, you can clearly see the the profile is a Web Clip profile that does nothing but to open up a URL scheme with the target app bundle ID. This is completely safe as long as the app itself is one that is safely downloaded from the AppStore.
Conclusion: Icon Themer is safe to use!
As you have seen in the reveal above, the Icon Themer is completely open to be checked. And as I’ve shown, there is little to no security concerns in the scripts and actions in the shortcut. Therefore, don’t be too concerned with it. As long as you are creating custom icons for the System apps or apps found in the AppStore, it would be 99% safe (nothing is ever 100% safe).