It’s not like it’s an edge case either, there are hundreds of apps with obviously and blatantly misleading logos, brands, names etc. Just see ChatGPT / OpenAi for example.
I have taken to sharing direct links to Apps in the app store now when recommending things to non-technical friends/family, because I’ve lost all confidence that they will find the “correct” app anymore just by searching, and not one of hundreds of highly dubious clone apps.
Difficult to argue against the recent actions of the EU when the supposed benefits of the walled garden are crumbling anyway…
We're on the 2nd generation of users that have been trained to trust the app store which is little more than a big search engine due to the volume. I would compare it to searching for an app on Google and installing whatever shows up high in the results.
The average user doesn't have the tools to discover the trustworthiness of individual developers, and haven't for ~15 years, which has led to a situation where no one (normal) could assess things properly even if you gave them the tools they need.
The Domain Name System has its flaws, but it's honestly kind of a miracle that we arrived at a system that's easy for users to remember (compared to numeric phone numbers), while remaining relatively decentralized.
A lot of the "security" industry is a big scam designed to take your money. Many of the products they sell don't work because they don't have the ability to filter out bad actors. What's the value of a code signing certificate if someone can spin up a company in a corrupt country and get an EV code signing cert for that businesses? The answer is $0.
I worked on the App Store and Music at Apple, but I have no idea about the app review process.
1. https://blog.lastpass.com/wp-content/uploads/sites/20/2024/0...
The entire software distribution industry could use a mulligan. I think it should start by using domains as identity because it's the only namespace we have with global buy-in and anyone can register / reserve a unique identifier (aka domain) in that system.
If the supply chain for that app went back to 'lastpass.com', and that information was prominently displayed, it solves a lot of problems in terms of educating users to help them avoid scams.
Do note that this article fails to actually identify any threat here.
From the article:
> ...the app was likely created to act as a phishing app and steal credentials.
> If you have installed the fake LastPass app, you should immediately remove it and change your password at lastpass.com. It is then advised to perform the arduous task of resetting all passwords stored in your LastPass vault to be safe.
Though one could argue that they have not _definitively_ proven that this app is a threat through testing, it really is not much of a stretch of the imagination that a LastPass-lookalike would be used for phishing. This app is very clearly an illegitimate clone.
https://blog.lastpass.com/2024/02/warning-fraudulent-app-imp...
Misspellings indicate fraud?? Good grief.
Fake news. LastPass's warning does not claim the other app is a fake copy.
> LastPass would like to alert our customers to a fraudulent app attempting to impersonate our LastPass app on the Apple App Store. The app in question is called “LassPass Password Manager” and lists Parvati Patel as the developer.
Also Apple: Lets in thousands of scam apps as a matter of course
