LastPass says a rogue exertion impersonating its celebrated password head made it past Apple's gatekeepers and was listed successful nan iOS App Store for unsuspecting folks to download and install.
The package shaper went public astir nan clone mobile app connected Wednesday, informing that nan knockoff "LastPass Password Manager," developed by personification calling themselves Parvati Patel, appeared to beryllium trying to confuse users into moving nan point and perchance bargain their information aliases credentials.
A screenshot of nan clone LastPass app successful nan Apple App store. Note nan misspellings, incorrect developer sanction and azygous standing ... Click to enlarge
"Upon seeing nan clone 'LassPass' app successful nan Apple App store, LastPass instantly began a coordinated and multi-faceted attack crossed our threat intelligence, ineligible and engineering teams to get nan fraudulent app removed," Christofer Hoff, main unafraid exertion serviceman for LastPass, told The Register Thursday.
"We are successful nonstop interaction pinch representatives from Apple, and they person confirmed receipt of our complaints, and we are moving done nan process to person nan fraudulent app removed," Hoff added.
Cupertino whitethorn person been connected nan lawsuit but earlier coming nan app was still disposable successful nan store. El Reg asked Apple why nan clone LastPass app was still up, and while we didn't person a response, nan app's URL stopped moving and nan exertion vanished from App Store hunt results connected an iPhone wrong a fewer minutes of our email.
In different words, it's now gone.
How'd this weed make it into nan walled garden?
Apps of questionable value aside, Apple has a estimation for being a comparatively safe spot for nan mean iPerson to get their software, pinch a notoriously reliable app support process opinionated betwixt developers and users.
Apple moreover updated its developer statement and reappraisal guidelines past twelvemonth to adhd a circumstantial prohibition connected apps that impersonate others. The design conception of nan app reappraisal guidelines moreover calls retired developers who return specified an approach, though it's much concerned pinch laziness than maliciousness.
"Come up pinch your ain ideas," Apple demands from developers. "Submitting apps which impersonate different apps aliases services is considered a usurpation of nan Developer Code of Conduct and whitethorn consequence successful removal from nan Apple Developer Program."
Of course, nan strategy isn't perfect, and nan occasional weed gets done nan wall and into nan garden. LastPass' impersonator isn't nan first, though it is simply a peculiarly egregious case.
- Forcing Apple to let third-party app stores isn't enough
- Beware cool-looking beta crypto-apps. They whitethorn beryllium money-stealing fakes
- Almost 300 predatory indebtedness apps recovered successful Google and Apple stores
- Over a cardinal Android users fooled by clone WhatsApp app successful charismatic Google Play Store
While it's understandable immoderate questionable IP theft could hap connected nan App Store connected occasion, this is simply a full impersonation of a well-known brand. We'd emotion to cognize really this blunder happened, though we're improbable to get an answer. LastPass wants to cognize too.
"[We're] moving pinch Apple to understand much broadly really an exertion for illustration this passed their usually rigorous information and marque protection mechanisms," Hoff told us. "The naming convention, nan iconography and nan explanation of nan fraudulent app are each heavy borrowed from LastPass, and this appears to beryllium a deliberate effort to target LastPass users."
Separating nan apps from nan traps
Even pinch its insistence that opening nan App Store to title would lead to greater threats to personification safety, Apple's contented rules still aren't wholly solid. While we're assured that our readers cognize good really to spot a clone app from a existent one, it's worthy reminding everyone really to debar being tricked into downloading a clone - and this clone LastPass app is rife pinch examples.
There's nan evident signs, for illustration misspellings successful app descriptions aliases successful screenshots. The clone LastPass app, screenshotted successful this story, really shows a preview image telling users they tin "store each your passwords pinch lasspass" - a bully measurement to show you're dealing pinch a faker, assuming morganatic developers person an editor.
There's besides nan developer name, which successful LastPass' lawsuit should beryllium "LogMeIn, Inc.," not a random person. Other apps from large providers (the astir evident ones to beryllium targeted for impersonation) should likewise lucifer nan existent institution down nan product.
The clone LastPass app besides only showed itself arsenic having a azygous five-star rating, while nan existent LastPass app has immoderate 52k reviews. A morganatic app is improbable please everyone, either, and LastPass is nary different - nan existent app is rated 4.4 retired of 5 stars.
Additionally, 4 one-star reviews connected nan clone LastPass app that didn't look to impact its wide people came from users informing that it was a scam, truthful there's 2 lessons to study here: Pay attraction to nan number of reviews connected a supposedly morganatic app, and springiness them a read, too.
Along pinch those elements, look astatine nan property of nan app, and besides return a look astatine nan app privateness study baked into each page successful nan App Store - if an app doesn't look for illustration it needs to nexus definite types of information to you (sudoku doesn't request to entree personification contented aliases cognize your location), past skip it - moreover if legit nan developer mightiness beryllium trading your data.
As precocious arsenic they whitethorn be, nan walls astir Tim's plot can't support retired each nan garbage, truthful beryllium careful. ®