64 comments

[ 4.1 ms ] story [ 127 ms ] thread
(comment deleted)
Isn't this the "App Store" that they are gate keeping for this kinds of threats?
Perhaps the Store found no threat?

Do note that this article fails to actually identify any threat here.

It's not difficult to imagine possible threats just by looking at the comparison screenshots alone:

https://blog.lastpass.com/2024/02/warning-fraudulent-app-imp...

> Do note that this article fails to actually identify any threat here.

From the article:

> ...the app was likely created to act as a phishing app and steal credentials.

> If you have installed the fake LastPass app, you should immediately remove it and change your password at lastpass.com. It is then advised to perform the arduous task of resetting all passwords stored in your LastPass vault to be safe.

Though one could argue that they have not _definitively_ proven that this app is a threat through testing, it really is not much of a stretch of the imagination that a LastPass-lookalike would be used for phishing. This app is very clearly an illegitimate clone.

> ...the app was likely created to act as a phishing app and steal credentials.

That a fear, not a threat.

> Though one could argue that they have not _definitively_ proven that this app is a threat

Why bother arguing that? They haven't claimed any evidence, let alone proof.

> it really is not much of a stretch of the imagination that a LastPass-lookalike would be used for phishing.

App Store rightly does not ban apps on stretches of imagination.

> App Store rightly does not ban apps on stretches of imagination.

Apple has removed the app: https://techcrunch.com/2024/02/08/a-fake-app-masquerading-as...

> Apple has removed the app

Fake news. Article does not say Apple removed it. On the contrary:

"whether by Apple or the fake app’s developer is yet unclear — Apple has not commented."

Apple never comments on that, but somehow magically every single time a scam app makes the news media, the app disappears from the App Store.
You've still not shown this is a scam app.
I don't need to show that. It's obvious to everyone except you... and Apple's app reviewers. Maybe you're one of them?

Your view is very strange though, because if the app were not a scam, then why would the developer voluntarily pull the app from the store?

> I don't need to show that.

Agreed. And readers can draw the obvious conclusion from your failure to do so.

> if the app were not a scam, why would the developer voluntarily pull the app from the store?

To prevent further bad publicity, obviously.

> And readers can draw the obvious conclusion from your failure to do so.

People all over the internet today in various discussion forums, including on HN in multiple submissions, have already drawn the obvious conclusion, without having read my comments, and their conclusion is almost universally the opposite of yours.

> To prevent further bad publicity, obviously.

It prevents any sales, which is the point of selling in the App Store. But why do you think there's so much bad publicity, if there's nothing wrong with the app?

It's unclear why it even matters who exactly removed the app from the App Store, because Apple's rules do not allow developers to deceive App Store users, and you've already more or less admitted that the app is deceptive. https://news.ycombinator.com/item?id=39308175 Although I don't know how you can justify saying that it's "at most" deception rather than "at least" deception, because "Trusted by over 1+ million users and 10,000+ businesses" is a flat out lie. Thus, even if the developer refused to remove the app, Apple should have anyway.

> But why do you think there's so much bad publicity

The LastPass claims.

> if there's nothing wrong with the app?

I didn't say there's nothing wrong with the app.

> It's unclear why it even matters who exactly removed the app from the App Store

Then I wonder why you are insisting it was Apple.

> Then I wonder why you are insisting it was Apple.

As I already said, "somehow magically every single time a scam app makes the news media, the app disappears from the App Store." Also, self-removal "prevents any sales, which is the point of selling in the App Store."

> I didn't say there's nothing wrong with the app.

Then I wonder why you are insisting it wasn't Apple.

It appears your view is that it's "unsubstantiated" unless Apple comments, but as I already said, Apple never comments about this, so apparently there's never any substantiation according to you, and it's just a giant coincidence that every single time a scam app makes the news media, the app disappears quickly from the store, even when the app's developer may be asleep due to living on the other side of the Earth.

It's a very convenient way of sticking your head in the sand and refusing to make the most logical inference.

> As I already said, "somehow magically every single time a scam app makes the news media, the app disappears from the App Store."

Even if true, that doesn't mean removal was by Apple rather than dev.

> self-removal "prevents any sales, which is the point of selling in the App Store."

Ditto. Self-removal reduces further rep damage that cold impact other sales inc. of a future remedied version.

>> I didn't say there's nothing wrong with the app.

>Then I wonder why you are insisting it wasn't Apple.

I am not. I am insisting we don't know.

> It appears your view is that it's "unsubstantiated" unless Apple comments

No. You've shown no substantiation from /any/ source. Just supposition.

> but as I already said, Apple never comments about this, so apparently there's never any substantiation according to you,

Wrong. Often devs announce removal by Apple.

> a very convenient way of sticking your head in the sand and refusing to make the most logical inference.

Inference requires evidence. None has yet been shown.

I agree with the Techdirt article that you misrepped as saying removal was by Apple. "whether by Apple or the fake app’s developer is yet unclear".

> Self-removal reduces further rep damage that cold impact other sales inc. of a future remedied version.

I eagerly await the return of the app.

That's the thing: these scam removals never return. New scams arise, but the specific removed apps don't.

You speak of evidence, so show me even one example of a publicized scam app that was removed (by "someone") and then returned triumphantly.

> Wrong. Often devs announce removal by Apple.

Wrong. Legitimate developers announce removal by Apple. Scam developers never announce removal by Apple. In fact, scam developers are almost always anonymous, so where would you even find their announcements? Go ahead and find the announcements of "Parvati Patel". I'll wait here.

> Inference requires evidence. None has yet been shown.

Wrong. We have plenty of evidence. You're requiring a very specific piece of evidence, an official announcement from someone, but that's never going to occur. It's weird to even call it "inference" when your evidence for X is simply someone asserting X. (Moreover, theoretically, either Apple or the developer could be lying, so where's your evidence that they're not?)

> scam developers are almost always anonymous

This dev is not. His name is on the app.

> We have plenty of evidence.

None shown. The only evidence you presented was the TechDirt article which transpired to be a misrep by you.

> You're requiring a very specific piece of evidence, an official announcement from someone

I am not requiring anything. I"m happy to accept the lack of evidence for your claim Apple removed the app.

> Moreover, theoretically, either Apple or the developer could be lying, so where's your evidence that they're not?

Since no-one has shown either has identified the removal, we need no evidence to show either one lied about it.

https://www.pcmag.com/news/beware-theres-a-fake-lastpass-app...

“UPDATE 2/9: Apple has removed the "LassPass" app from its App Store and also pulled the app's developer from its developer program, the company confirms to PCMag. Apple says it has also received a trademark dispute against the now-removed app.“

I guess you can stop the logorrhea now… Although the true lesson I hope you take away from this is that you could have stopped the logorrhea at any time if you applied just a little deductive reasoning and common sense.

Why are you like this? Pedantically parsing gnat shit out of pepper doesn’t make you smart, it makes you insufferable.
It is internet moderator syndrome.
Why am I challenging "Apple has removed the app" you mean?

Because it is unsubstantiated.

No pedantry involved.

And yet Apple removed it after it was publicized, so…
There is no evidence Apple did.
Circumstantial evidence is still evidence, Chris. The fact that it was no longer available on the store tends to imply that Apple removed it. Especially since the alternative is that the developer, who clearly acted in bad faith publishing an app masquerading as another app for the purpose of tricking people into making that developer profit, pulled it himself. You can put on your big boy deductive reasoning hat and draw a pretty reliable inference.

Or you can simply read:

https://www.pcmag.com/news/beware-theres-a-fake-lastpass-app...

UPDATE 2/9: Apple has removed the "LassPass" app from its App Store and also pulled the app's developer from its developer program, the company confirms to PCMag. Apple says it has also received a trademark dispute against the now-removed app.

But Apple said their App Store is so safe that you do not need to worry about these kind of scams
Safer than allowing unregulated app stores to exist where an abundance of fake LastPass apps can be found I imagine.
https://play.google.com/store/search?q=lasspass&c=apps&fpr=f... shows that Parvati Patel didn't even have the forethought to submit to multiple stores, for maximum phishing. Or, from Apple's perspective, worse may be that they did submit it and Google either caught it or its review cycle is so hopelessly borked it didn't outrun the news coverage. Hard to tell who is the most facepalm of all these actors
In the unregulated scenario, you at least know the score. In the current scenario, you have a false sense of security that this must be the real deal, because Apple reviews the app submissions.
The problem with app stores is that they sell the idea of verifying trustworthiness when the really can't. The biggest effect they can have is by doing identity verification and they make the same mistake that EV TLS certificates, etc. did. That mistake is assuming business names and trademarks are unique. They're not.

The entire software distribution industry could use a mulligan. I think it should start by using domains as identity because it's the only namespace we have with global buy-in and anyone can register / reserve a unique identifier (aka domain) in that system.

If the supply chain for that app went back to 'lastpass.com', and that information was prominently displayed, it solves a lot of problems in terms of educating users to help them avoid scams.

How, in the utter fuck, does this get past app review?

It’s not like it’s an edge case either, there are hundreds of apps with obviously and blatantly misleading logos, brands, names etc. Just see ChatGPT / OpenAi for example.

I have taken to sharing direct links to Apps in the app store now when recommending things to non-technical friends/family, because I’ve lost all confidence that they will find the “correct” app anymore just by searching, and not one of hundreds of highly dubious clone apps.

Difficult to argue against the recent actions of the EU when the supposed benefits of the walled garden are crumbling anyway…

Also, I somehow got the impression that one needed to provide Apple with live credentials to exercise any cloud service that the app fronts; so that makes me wonder if the malicious actor bought a LastPass subscription just to allow Apple to phish themselves?
I wouldn't be surprised. The issuers of code signing certificates used to ask the person getting the cert to provide links to public registries of business / phone number listings. I had it happen to me.

A lot of the "security" industry is a big scam designed to take your money. Many of the products they sell don't work because they don't have the ability to filter out bad actors. What's the value of a code signing certificate if someone can spin up a company in a corrupt country and get an EV code signing cert for that businesses? The answer is $0.

Does not the word review in sentence one needs irony quotes.
Yeah, and my app got rejected because it links to other webpage...
(comment deleted)
There are so many scams on every platform that it's ridiculous. I think the gatekeepers are responsible for it TBH. Prior to big tech usurping control over distribution, a lot more effort went into branding and direct distribution of apps. People understood the difference between lastpass.com and totallynotfakelastpass.com. Then big tech started obscuring identity and trust information in an effort to push users towards their gateways (Google search, Apple app store, etc) instead. And here we are, in a world filled with users that can't help themselves because they've been systematically dumbed-down by big tech.

We're on the 2nd generation of users that have been trained to trust the app store which is little more than a big search engine due to the volume. I would compare it to searching for an app on Google and installing whatever shows up high in the results.

The average user doesn't have the tools to discover the trustworthiness of individual developers, and haven't for ~15 years, which has led to a situation where no one (normal) could assess things properly even if you gave them the tools they need.

> People understood the difference between lastpass.com and totallynotfakelastpass.com.

The Domain Name System has its flaws, but it's honestly kind of a miracle that we arrived at a system that's easy for users to remember (compared to numeric phone numbers), while remaining relatively decentralized.

If you reviewed at the fraud listing[1] and had no knowledge of the LastPass app, I'm not sure you would know it was a copy.

I worked on the App Store and Music at Apple, but I have no idea about the app review process.

1. https://blog.lastpass.com/wp-content/uploads/sites/20/2024/0...

If you aren't putting the effort in to verify anything or doing enough research to even like, see if there is an existing app or that this app is related to the real website, then you simply can't claim--as Apple does--to be screening the apps that are submitted for scale. Like, are you suggesting that the goal of the App Store's walled garden is merely to prevent obvious scams?!
> see if there is an existing app or that this app is related to the real website

I’m still not sure what you are suggesting a reviewer unfamiliar with LastPass to know.

I am expecting the reviewer to spend a moment at least searching their own store for LastPass, in addition to searching Google and checking the credibility of the submitter. Why, pray tell, do you think the reviewer even deserves to exist if they cannot block this sort of scam, due to something as trivial a reason as "they hadn't personally heard of LastPass"? There is a good reason why the FTC has finally decided to call bullshit on companies like Apple who claim their centralized closed ecosystem and resulting anti-competitive market manipulation is "required" for safety / security: you even used to work for Apple, and are essentially admitting they can't possibly do this function!!
This is human judgment. There are going to be failures. I believe a closed ecosystem is safer. You do not. Great! Let's each support the company that gives us that. <3
That really isn't sufficient here, as you are lying to the people who are putting their trust in you: a reviewer who is claiming to protect users from scams who won't even put in the token effort to learn what LastPass is before accepting it is simply not doing the role they claimed to be doing.

The reasonable response here from people at Apple should be more like "this individual reviewer was negligent in their duties and has been reprimanded appropriately; additionally, we are attempting to prevent this kind of mistake from happening in the future with better training and more redundancy in the review process", not "what do you expect? how could the reviewer possibly know what LastPass is?".

Like, do I believe an open ecosystem is better? Of course! But that isn't my argument here, today, on this thread. I am saying that, assuming the benefits claimed of the closed ecosystem are legit, Apple is not just doing a half-assed job: you are actively defending that half-assed job by saying it somehow isn't possible to do better, even when that obviously isn't the case... do remember that this was actually my job for a while!

If you had submitted this kind of scam to Cydia, I guarantee I would have put enough effort in to at least learn what LastPass was and verify your involvement in the company before rubber-stamping a product that used its trademark! (Which, incidentally, maybe finally explains why the independent UCSB research done on this actually showed Cydia offered a safer curated core ecosystem than Apple... we actually gave a shit about what we promised to do.)

Your first two sentences contradict with the third. How can you honestly defend a manually-vetted process that doesn't catch surface-level scams that even a Linux packager would catch?
> LastPass is warning that a fake copy of its app is being distributed on the Apple App Store

Fake news. LastPass's warning does not claim the other app is a fake copy.

https://blog.lastpass.com/2024/02/warning-fraudulent-app-imp...

> LastPass would like to alert our customers to a fraudulent app attempting to impersonate our LastPass app on the Apple App Store. The app in question is called “LassPass Password Manager” and lists Parvati Patel as the developer.

Yup. No fake copy claim there.

And the claim of fraud is unsubstantiated.

> No fake copy claim there.

What would you consider to be such a claim? The part they quote seems to explicitly call out the other app as being a fake copy when they call it "a fraudulent app attempting to impersonate our LastPass app".

> And the claim of fraud is unsubstantiated.

You seem to be asserting that there is no such claim. What are you trying to say?

> What would you consider to be such a claim?

"The app is a fake copy."

> The part they quote seems to explicitly call out the other app as being a fake copy when they call it "a fraudulent app attempting to impersonate our LastPass app".

Explicit would be "fake copy".

This callout does not even claim successful impersonation.

> You seem to be asserting that there is no such claim.

On the contrary, there is such a claim. What I said was is the claim is unsubstantiated.

If they were to explicitly claim an app as a fake copy, and you agreed that said app was a fake copy, what would that application look like and what would it do?
> If they were to explicitly claim an app as a fake copy

How about wait until it happens?

>> close examination of the posted screenshots reveal misspellings and other indicators the app is fraudulent

Misspellings indicate fraud?? Good grief.

The App Store description said, "Trusted by over 1+ million users and 10,000+ businesses". That's fraud.
No, that's at most just deception.

Check the meaning of fraud in the dictionary, please.

I did. Maybe you should too. Although the dictionary is not actually a legal authority.
Fraud is a misrepresentation to induce reliance in another. This statement absolutely qualifies. Duh.
Apple: Our devices must remain walled gardens so only the highest quality, legitimate apps are able to be installed. And we require a 30% rent on every transaction for the purpose of maintaining the integrity of our garden.

Also Apple: Lets in thousands of scam apps as a matter of course

This is my biggest fear - that my password app is hacked. What if the real LastPass (or KeePass, or whatever) dev had a gun held to his head to add code to upload credentials to somewhere, and then signs and uploads the legitimate app. Open source doesn’t help - dev just doesn’t check in the changes. Reproducible builds and open source help in theory, but how many people go to that length if it’s even possible? I don’t.
(comment deleted)