People worry, and I know I've written about how Apple allowing side-loading apps, as it's about to do in Europe with iOS 17.4, could lead to dangerous, malware-filled apps arriving on your best iPhone. But it turns out that the tight checks and balances of Apple's App Store aren't entirely perfect either.
Earlier this week we learned through popular password management system LastPass that there was a fraudulent app posing as its own app in the Apple App Store. The developer, listed as Harry Potter The character, Parvati Patel, wasn't exactly subtle. A search for 'Lastpass Password Manager' would return, along with the legitimate app, the Patel app with a logo that, while different, could easily be confused with the actual LatPass logo. She also used a collection of screenshots that looked a lot like LastPass' mobile password management system.
LastPass alerted customers about the fake app in a Feb. 7 blog post and promised to “continue to monitor for fraudulent clones of our apps and/or infringements of our intellectual property.”
At the time of writing, the apps had disappeared from the App Store. I also searched Google Play and fortunately couldn't find a similar scam LastPass app.
App appears
As a long-time LastPass customer, I was horrified. This wasn't just a fake slot machine or news app; LastPass manages all of my passwords (and the passwords of millions of other customers), which means, at least in my life, it holds the keys to the kingdom. I have no idea how the fake LastPass worked or didn't work, but if someone downloaded it and started using it as if it were real, they could at least be giving away their LastPass master password to a criminal enterprise.
This app would not only attract new, unsuspecting LastPass customers, but also existing ones. Let's say you get a new iPhone and you have to reinstall all your main apps. If you're not paying close attention (something 'Parvati Patel' depended on), you could have downloaded and started using the fake app, probably with disastrous results.
Apps like this are not supposed to pass through Apple's security layers. As I understand it, Apple's app verification process is a closed loop with important checks. Registered iOS developers provide Apple, according to its Developer Program support page: “information associated with your Apple ID, including your name, email address, age, phone number, preferred language, and country or region, to create and maintain your developer account. and provide you with Apple Developer Program features.”
What did Patel get him: a Hogwarts owl?
The point of not allowing side-loading apps is that fake and dangerous apps would not be able to reach end users, especially apps that blatantly impersonate legitimate apps; At least I thought that was the point. Couldn't Apple have done a simple name check before making the fake LastPass public? Surely the system would have noticed the discrepancy.
Apple's protego spell
I asked Apple how such an imposter app got through their app and developer verification system. Apple confirmed that it had removed the app and, yes, 'Parvati Patel' will be removed from its Apple Developer Program. Of course, since that's almost certainly not the developer's real name, I have to assume that Patel will soon appear as a new developer named 'Ludo Bagman'.
Apple is within its rights to remove the app and Patel because, as Apple pointed out, it is against the rules to impersonate other apps.
However, it appears that if Apple's vetting system fails, it may be up to companies like LastPass (owned by developer LogMeIn) to register a dispute in Apple's content dispute process. LastPass reported doing so on February 7.
Apple never explained why its system failed, but it did highlight its efforts to make the App Store a safe space for developers and consumers. However, that highly lucrative space is clearly under constant attack, and it's a wonder we don't see many more fake apps on the App Store.
The company reports stopping at least $2 billion in fraudulent App Store transactions in 2022, and while LastPass failed, Apple has so far rejected nearly two million apps because they didn't meet Apple's security and quality standards.
Apple also reports removing 153,000 submissions of apps that were spam, deceptive, or, of course, knockoffs. That type of activity has led to the cancellation of almost half a million developer accounts.
The thing is, Apple is doing the job. It's enough? For anyone who managed to download and use that fake LastPass app before LastPass and Apple caught on, probably not.
While the fake LastPass app episode is disheartening, the amount of work Apple is doing to stop even more app scams further cements my belief that downloading completely open iPhone apps would be an unmitigated disaster. So there's that.