A fake LastPass developer wizarded their way onto the App Store – but things could actually be far worse

 Fake LastPass.
Fake LastPass.

People worry, and I know I've written about how Apple allowing side-loaded apps, as it's about to do in Europe with iOS 17.4, could lead to dangerous malware-filled apps arriving on your best iPhone. But it turns out that Apple's ironclad App Store checks and balances aren't entirely perfect either.

Earlier this week we learned from the popular password management system LastPass that there was a fraudulent app impersonating its own app in Apple's App Store. The developer, listed as Harry Potter character Parvati Patel, wasn't exactly subtle. A search for 'Lastpass Password Manager' would return, along with the legitimate app, Patel's app with a logo that, while different, could easily be mistaken for LatPass's real one. It also used a collection of screenshots that looked a lot like LastPass's mobile password management system.

LastPass alerted customers to the fake app in a February 7 blog post, and promised to "continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property."

At the time of this writing the apps had disappeared from the App Store. I also searched in Google Play, and fortunately I couldn't find a similar fraudulent LastPass app.

App apparates

As a longtime LastPass customer, I was appalled. This wasn't just a fake Slot Machine or news app; LastPass manages all of my passwords (and the passwords of millions of other customers), which means, in my life at least, that it has the keys to the kingdom. I have no idea how the fake LastPass worked, or didn't, but if someone downloaded and started using it as if it was the real thing, they could at the very least be giving away their LastPass Master Password to a criminal enterprise.

This app wouldn't just rope in unsuspecting new LastPass customers but existing ones as well. Let's say you get a new iPhone and have to reinstall all your core apps. If you're not paying close attention – something 'Parvati Patel' was depending on – you could have downloaded and started using the fake app, likely with disastrous results.

Apps like this getting through Apple's layers of security is not supposed to happen. My understanding of Apple's App verification process is that it's a closed loop with significant checks. Registered iOS developers provide Apple with, according to its Developer Program support page: "information associated with your Apple ID, including your name, email address, age, phone number, preferred language, and country or region, to create and maintain your developer account and provide you with features of the Apple Developer Program."

What did Patel provide – an owl gram from Hogwarts?

The whole point of not allowing side-loading apps is that fake and dangerous apps couldn't make their way all the way to end users, especially apps that are so blatantly impersonating legitimate apps – at least I thought that was the point. Couldn't Apple have performed a simple name check before making the fake LastPass public? Surely, the system would've noticed the discrepancy.

Apple's protego spell

I asked Apple how such an imposter app got through its developer and app verification system. Apple confirmed that it had removed the app and, yes, 'Parvati Patel' is being removed from its Apple Developer Program. Of course, since that's almost certainly not the developer's real name, I have to assume that Patel will soon pop up as a new developer named 'Ludo Bagman.'

Apple is well within its right to remove the app and Patel because, as Apple noted, it's against the rules to impersonate other apps.

It seems, though, that if Apple's vetting system fails, it may be up to companies like LastPass (owned by developer LogMeIn) to log a dispute with Apple's content dispute process. LastPass reported doing so on February 7.

Apple never explained why its system failed, but it did point to its efforts to make the App Store a safe space for developers and consumers. That highly lucrative space, though, is clearly under constant attack, and it's a wonder we don't see a lot more fake apps in the App Store.

The company reports stopping at least $2 billion in fraudulent App Store transactions in 2022, and, even though LastPass slipped through, Apple has so far rejected almost two million apps because they didn't meet Apple's safety and quality standards.

Apple also reports swatting away 153,000 app submissions that were spammy, misleading, or, of course, copycat apps. That kind of activity has led to the termination of almost half a million developer accounts.

The point is that Apple is doing the work. Is it enough? For anyone who did manage to download and use that fake LastPass app before LastPass and Apple noticed it, probably not.

While the fake LastPass app episode is disheartening, the amount of work Apple does to stop even more app fraud further cements my belief that fully open iPhone app sideloading would be an unmitigated disaster. So there's that.

You might also like