It's not guaranteed in their terms, in as much as a quick safety inspection on a plane doesn't guarantee it won't fall out of the sky. Someone would have to prove Apple was negligent, which if they put this app through the same review process as all others (no malware, just a scam), then are they negligent?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Removes Fake Crypto Wallet App That Stole $9.5 Million From Mac Users
- Thread starter MacRumors
- Start date
- Sort by reaction score
I think you take it at face value. Nothing in there guarantees. Every app is reviewed, but it's reviewed by people and people can make mistakes. It also says it's improving, which implies it's not perfect.Apple doesn't explicitly say their App Store is 100% safe, but they do make the claim implicitly.
About App Store security
On the App Store, apps come from identified developers who have agreed to follow Apple guidelines, and are securely distributed to users with cryptographic guarantees against modification.support.apple.com
The App Store is a trusted place where users can safely discover and download apps. On the App Store, apps come from identified developers who have agreed to follow Apple guidelines, and are securely distributed to users with cryptographic guarantees against modification. Every single app and each app update is reviewed to evaluate whether it meets requirements for privacy, security, and safety. This process, which is being constantly improved, is designed to protect users by keeping malware, cybercriminals, and scammers out of the App Store.
How else are we to take it when Apple says "every single app" is "reviewed to evalucate" the apps "privacy, security, and safety," making the App Store "a trusted place."?
SnowCrocodile
macrumors 6502a
So this wasn't just some random app that could have easily slipped through, this app was deliberately designed and named to be mistaken for an official app made by a well known 3rd party. The fact that Apple completely failed to check whether it's legit is, imho, pretty bad.
Good luck arguing in court now that sideloading is inherently less safe than the uber-secure AppStore review process.
Good luck arguing in court now that sideloading is inherently less safe than the uber-secure AppStore review process.
btrach144
macrumors 68040
Copilot is saying that a class action lawsuit is already being formed so I guess we'll find out!
SnowCrocodile
macrumors 6502a
So when you download your bank's app from AppStore, you call the bank to verify that the app is legit? Or do you rely on Apple to do basic due diligence before allowing the app into their walled garden?
If I submit to them an app called "CryptoWallet by SnowCrocodile" and then use it to steal people's money, it's not on Apple as long as they went through a reasonable review process. They don't know what my intentions are, and I am pretty sure I'd pass any background checks.
However if I send them an app called "Bank of America" using BoA logo, and they approve it without making sure that I am really associated with BoA, that's 100% on them.
Last edited:
I read it as Apple tries very hard and puts as many policies in place as they can, but the process isn't perfect as they state right in the terms that it's constantly being improved. It sounds like they're saying it's pretty safe but not perfectly safe.Apple doesn't explicitly say their App Store is 100% safe, but they do make the claim implicitly.
About App Store security
On the App Store, apps come from identified developers who have agreed to follow Apple guidelines, and are securely distributed to users with cryptographic guarantees against modification.
The App Store is a trusted place where users can safely discover and download apps. On the App Store, apps come from identified developers who have agreed to follow Apple guidelines, and are securely distributed to users with cryptographic guarantees against modification. Every single app and each app update is reviewed to evaluate whether it meets requirements for privacy, security, and safety. This process, which is being constantly improved, is designed to protect users by keeping malware, cybercriminals, and scammers out of the App Store.
How else are we to take it when Apple says "every single app" is "reviewed to evalucate" the apps "privacy, security, and safety," making the App Store "a trusted place."?
People are completely missing the point here. It’s not about where th app is from. Ledger is a hardware wallet and if you are using a hardware wallet you should already know that your seed phrase doesn’t touch the keyboard. Entering your seed in An app from the App Store that asks for your seed phrase into the keyboard , is on you
SnowCrocodile
macrumors 6502a
OK so if I download a Bank of America app off Apple Store and it turns out that this was a scam app uploaded by some criminals, it's not Apple's fault for not trying to validate the app with BoA prior to accepting it?
In this case, the app impersonated a well known (in certain circles) 3rd party, it was Apple's responsibility to validate the app with the said 3rd party.
Stole, how did they steal it? By asking folks for their information. Hm…
A fake Mac app designed to look like the real thing snuck past Apple's app review team, costing users $9.5 million in cryptocurrency.
According to CoinDesk, a fake macOS version of the Ledger Live crypto wallet app scammed people into handing over access to their cryptocurrency wallets. More than 50 people fell victim to the fake app between April 7 and April 13.
Ledger has an official Mac app, but it is distributed via the Ledger website and not through the Mac App Store. The real app does not ask users to enter their seed phrases like the fake app did, nor do other legitimate cryptocurrency apps. The stolen money was routed through the KuCoin crypto exchange, and hackers used a mixing service known as AudiA6, which charges high fees to launder cryptocurrency.
Three of the victims lost seven-figure sums, which is an unusually high amount of money to lose in a fake app scam. ZachXBT, who investigated the scam and shared the info on Telegram, suggested Apple could be subject to a class-action lawsuit in the future due to the amount of money lost.
Apple removed the fake Ledger Live app from the Mac App Store, but it was live for approximately two weeks. It is not known how it passed Apple's app review process, and Apple hasn't commented.
Article Link: Apple Removes Fake Crypto Wallet App That Stole $9.5 Million From Mac Users
Because… no one can release a fake app OUTSIDE the app store? Is that a thing people believe?
Assuming it's a fake app and you download it and "log in" (fake log in since it doesn't know your credentials), it's impossible it would show your balance and you'd immediately know something was wrong and could take immediate action to change PW, etc.
Also, your bank account is insured. Crypto isn't, as far as I know.
Were these users existing users with experience with crypto apps? Did they not know they're never asked to enter their secure key phrase or new users opening a new account?
HouseLannister
macrumors 68040
And since Apple is preventing you from going to bankofamerica.com and downloading it direct from a trusted source...
SnowCrocodile
macrumors 6502a
No one should be able to release a fake app INSIDE the app store. That's the whole idea behind an app store. An approval process for any app that is trying to impersonate a known 3rd party should start with Apple contacting that 3rd party to validate whether the app is legit. Clearly this hasn't happened.
If using the AppStore is not any different from not using it, then Apple's main argument for a walled AppStore falls apart.
Does Apple make that point for the Mac App Store? I mean, the developer makes the app available via their website, so the App Store only factors into it where folks that should have known better, didn’t.
ThailandToo
macrumors 65816
SnowCrocodile
macrumors 6502a
They do on iPadOS and iOS. They go extra length to make sure I can't use any other source for apps on iPadOS / iOS. Then if I use the same source, that has the same name and the same icon, to download apps on MacOS it's suddenly on me?
Brilliant.
I am sorry to say that but this was so easily avoided and the app has been online for a week, just this weekend somebody lost 6 BTC, his whole savings.
I am a developer, I have a very popular, discontinued game, several hundred thousand downloads, many reviews. I get approached by scammers offering me around 1000$ so that I transfer them my app.
These scammers then rebrand it, with malware, and use the reputation from those old apps.
Of course I always send them to hell.
In this case it was even worse, the app had no reputation, but showed up in search results almost immediately.
Apple claiming they want to protect users is a big fat lie. The App Store is no protection for nothing, as this app shows. And it's not the first time. And Apple takes ages to react.
I hope they get a lawsuit, they loose it, and these poor people recover their money.
PS: Never ever write a seed phrase on an app or a website.
I am a developer, I have a very popular, discontinued game, several hundred thousand downloads, many reviews. I get approached by scammers offering me around 1000$ so that I transfer them my app.
These scammers then rebrand it, with malware, and use the reputation from those old apps.
Of course I always send them to hell.
In this case it was even worse, the app had no reputation, but showed up in search results almost immediately.
Apple claiming they want to protect users is a big fat lie. The App Store is no protection for nothing, as this app shows. And it's not the first time. And Apple takes ages to react.
I hope they get a lawsuit, they loose it, and these poor people recover their money.
PS: Never ever write a seed phrase on an app or a website.
The_Gream
macrumors 6502
At this point, I think all apps related to Financial Services need way more scrutiny, maybe to the point, these apps need to be allowed to side load. This way, Apple can review them but not ‘host’ them. To many scam apps over the years. I still can’t figure out which one my IRA is tied to. The company has like 3 apps, and I even thought I downloaded the one linked from the site I can log into, but the app says I have the wrong ID info.
Also, I feel that the US intelligence agencies should be finding these thieves and sending special ops in to string them up.
Theft is one act that really pisses me off.
“Should” is carrying a lot of weight there. 🙂 No one should enter their confidential details into an app that’s asking for something that no app of that type should ever do, for example. But, it happens. Anyone who thinks either is impossible is likely not basing their expectations on reality.
Have you seen a screenshot of the App Store listing for the now removed app to confirm everything looked legit?
kpluck
macrumors regular
Three people lost a million or so. Over 50 others lost far less. If Apple's lawyers determine it's easier to settle than fight it, it's peanuts to Apple.
Right, but they do force 100% compliance if you want to meaningfully run software on their platform. And they damn sure demand 100% financial compliance.
That's the whole problem. Of course they can't promise full safety, but they use that as an excuse for full control.
If there weren't also stories every month of legitimate developers having major problems for no reason, I would have more sympathy. But Apple blocks or delays apps for any reason or none and causes lots of unnecessary problems.
It's hypocritical. It would not be if they gave people the option to not use it, but they don't.
The_Gream
macrumors 6502
If you are these users, you would contact your local Attorney General. At least in Missouri, part of their job is to go after people committing fraud and such.
I would seek legal counsel, talk to the AG and let them handle it. Doing so might actually put more pressure on Apple to put in better reviews for Apps, or change policy sooner then what our Congress will ever get done.
In this case specifically, going to the company’s website and following ad LINK to the App Store would be careful. This is the user’s fault. If this app was downloaded from the App Store and, upon execution, stealing user data, that’d hurt their reputation.
The fact that this app could literally do NOTHING without engagement from the user to exploit themselves… then all the mandatory sandboxing and reviewing can’t help folks that willingly put themselves into that position.