People are concerned, and I know I’ve written about how Apple allowing side-loaded apps, as it will do in Europe with iOS 17.4, could lead to dangerous, malware-filled apps ending up on your best iPhone. But it turns out that Apple’s rock-solid controls in the App Store aren’t entirely perfect either.
Earlier this week we learned of the popular password management system LastPass that was out there a rogue app that pretends to be its own app in Apple’s App Store. The developer, listed as Harry Potter character Parvati Patel, was not exactly subtle. A search for ‘Lastpass Password Manager’, along with the legitimate app, would bring up Patel’s app with a logo that, while different, could easily be mistaken for the real LatPass logo. It also used a collection of screenshots that closely resembled LastPass’ mobile password management system.
LastPass warned customers about the fake app in a Feb. 7 blog post and promised to “continue to monitor for fraudulent clones of our applications and/or infringements of our intellectual property.”
At the time of writing, the apps had disappeared from the App Store. I also searched Google Play, but luckily I couldn’t find a similar rogue LastPass app.
App appears
As a long-time LastPass customer, I was shocked. This wasn’t just some fake slot machine or news app; LastPass manages all my passwords (and the passwords of millions of other customers), which means, at least in my life, it holds the keys to the kingdom. I have no idea how the fake LastPass worked, if anything, but if someone were to download it and use it as if it were real, they could at least give away their LastPass master password to a criminal enterprise.
This app would not only attract unsuspecting new LastPass customers, but existing ones as well. Let’s say you get a new iPhone and need to reinstall all your core apps. If you weren’t paying close attention – something ‘Parvati Patel’ depended on – you could have downloaded and used the fake app, likely with disastrous consequences.
These types of apps are not intended to get through Apple’s security layers. My understanding is that Apple’s app verification process is a closed loop with significant checks. Registered iOS developers provide Apple, according to the Developer Program support page: “information associated with your Apple ID, including your name, email address, age, phone number, preferred language, and country or region, to create your developer account and maintain and provide you with Apple Developer Program features.”
What did Patel give: an owlgram from Hogwarts?
The whole point of not allowing sideloading apps is so that fake and dangerous apps can’t quite get to end users, especially apps that so blatantly mimic legitimate apps – at least I thought that was the point. Couldn’t Apple have done a simple name check before making the fake LastPass public? The system would undoubtedly have noticed the discrepancy.
Apple’s protection spell
I asked Apple how such an impostor app got through the developer and app verification system. Apple has confirmed that it has removed the app and yes, ‘Parvati Patel’ is being removed from the Apple Developer Program. Of course, since that’s almost certainly not the real name of the developer, I have to assume that Patel will soon emerge as a new developer named “Ludo Bagman.”
Apple is well within its rights to remove the app and Patel because, as Apple noted, it’s against the rules to impersonate other apps.
However, it appears that if Apple’s control system fails, it may be up to companies like LastPass (owned by developer LogMeIn) to file a dispute through Apple’s content dispute process. LastPass reported this on February 7.
Apple never explained why its system failed, but it did point to its efforts to make the App Store a safe place for developers and consumers. However, that very lucrative space is clearly under constant attack, and it’s a wonder we don’t see many more fake apps in the App Store.
The company reports that it stopped at least $2 billion in fraudulent App Store transactions in 2022, and while LastPass slipped through the cracks, Apple has rejected nearly two million apps so far for not meeting its security and quality standards. Apple.
Apple also reports that it has wiped out 153,000 app submissions that were spammy, deceptive, or of course copycat apps. That kind of activity has led to the termination of nearly half a million developer accounts.
The point is that Apple does the work. It is enough? For anyone who managed to download and use that fake LastPass app before LastPass and Apple noticed, probably not.
While the LastPass app fake episode is disheartening, the amount of work Apple is doing to stop even more app fraud reinforces my belief that sideloading fully open iPhone apps would be an unmitigated disaster. So there’s that.