Fake LastPass App Sneaks Past Apple's Review Team

[1129846]

No, I didn't. I simply argued that it's not broken. As evidenced by my experience, the massive developer support, and the developer revenue compared to android.

Revenue != good system.

Apple system is bad but they are get away with it because of the money. System wise it is bad and Google's is by far better and less issues in that side.

Lots of revenue covers up a bad system and people are willing to put up with it for the money. Apple's treatment of developers over all is pretty bad.

 

[BaldiMac]

Revenue != good system.

Apple system is bad but they are get away with it because of the money. System wise it is bad and Google's is by far better and less issues in that side.

Lots of revenue covers up a bad system and people are willing to put up with it for the money. Apple's treatment of developers over all is pretty bad.

Can you respond without misrepresenting what I said? I clearly based by comment on more than revenue.

 

[Samplasion]

That’s not an equivalent argument because the platforms are different.

They're both general purpose operating systems made by Apple. But, I'll give it to you, one is designed for a pointing device and the other for touch screens.

Besides, you said "The fact that [sideloading] exists is an issue." So that means that, logically, you would consider another example of "sideloading" problematic.

 

[BaldiMac]

Besides, you said "The fact that [sideloading] exists is an issue." So that means that, logically, you would consider another example of "sideloading" problematic.

Of course it's problematic as evidenced by a trillion dollar malware industry. Why do we have to pretend that the Mac is the only OS to allow sideloading?

 

[Samplasion]

Of course it's problematic as evidenced by a trillion dollar malware industry. Why do we have to pretend that the Mac is the only OS to allow sideloading?

You're entitled to your opinion and as such nobody forces you to leave the App Store, the Mac App Store, the Microsoft store or what have you. But the constant "I don't want sideloading and neither should you" comments sound like jealousy.

Because they're both developed by Apple.

 

[JFLECHUGA]

The more time you spend on Reddit the less informed you ar

🤣🤣🤣👍🏻

 

[BaldiMac]

You're entitled to your opinion and as such nobody forces you to leave the App Store, the Mac App Store, the Microsoft store or what have you.

Thanks for stating the obvious! I never argued they did. I have said that it may impact me if an app that I want or need leaves the App Store.

But the constant "I don't want sideloading and neither should you" comments sound like jealousy.

Again, another argument that I never made combined with an ad hominem fallacy. There are certainly many valid reasons to want sideloading.

Because they're both developed by Apple.

Sure. That doesn't mean that the Mac is the only example of sideloading and its repercussions.

 

[falainber]

Ever have a windows app crash? Vendor software crashes happen.

That's not the point though. Claiming that Apple found a crash or two during the app review absolutely misses the point of a review process.

 

[falainber]

Problem is an additional vector of attack is opened by alternative app stores. The fact that this avenue even exists is the issue.

To close all attack vectors one should not have any App Stores at all. Now, remember that was actually the original Apple intent. They gave up once they realized it was a stupid idea. It's time they realized that the ban on alternative app stores (and sideloading) is also a bad idea. Well, I am sure that deep inside they actually know it but profit considerations tell them otherwise.

 

[BaldiMac]

That's not the point though. Claiming that Apple found a crash or two during the app review absolutely misses the point of a review process.

It was certainly my point though. I was responding to a specific claim that Apple did nothing but check for API misuse that cost them money. Obviously, they check for more than that.

 

[BaldiMac]

To close all attack vectors one should not have any App Stores at all. Now, remember that was actually the original Apple intent. They gave up once they realized it was a stupid idea. It's time they realized that the ban on alternative app stores (and sideloading) is also a bad idea. Well, I am sure that deep inside they actually know it but profit considerations tell them otherwise.

Who is it a bad idea for? Customers are happy. Developers make more money than they do on android. There are a wide variety of millions of apps at extremely low prices.

 

[makitango]

I am an Android fanboy. There is no such thing as a secure app store. When you use a PC, you are already exposed to the wild west and the best anti virus in the world is actually you the user and this incident with Apple proves just that.

I don't believe the Apple app store is 100% secure because it just isn't possible to vet every single app in the review process in detail. I treat it to he just as secure as the Play Store. Beeper was able to exploit iMessage on Android suggesting that was having vulnerabilities as well.

You could argue we are seeing only 1-2 shady apps and Apple is stopping 1,000 of them while third party stores probably wouldn't do anything.

But here is the thing. People trust the App Store. People would not trust third party stores. Android specifically warns you when sideloading any app and the user is well aware of the risks. Apple is providing a false sense of security on their App Store so a user may not even use basic common sense when downloading any app from it.

It's like this. If I know an alley is dangerous and I am at risk of getting mugged, I would avoid it or at the very least ensure I have some protection when going through it. If someone assures me that an alley is safe, I wouldn't think twice walking through.

This incident neither supports nor weakens Apple position. Nothing is safe. It's upto the user to use basic common sense.

It's also why people get robbed mostly in dense and public spaces. Hiding in plain sight is probably the most efficient way. That's why on railway stations or airports they always say "pay attention to your bags and wallet".

To close all attack vectors one should not have any App Stores at all. Now, remember that was actually the original Apple intent. They gave up once they realized it was a stupid idea. It's time they realized that the ban on alternative app stores (and sideloading) is also a bad idea. Well, I am sure that deep inside they actually know it but profit considerations tell them otherwise.

I also think that the original plan would have been the safest. If Apple had decided to walk down the way with web apps, they would have only had to care about Safari security, and they would have continued their joint venture with Google to develop PWAs together.
Obviously, Apple wouldn't be as rich as it is today, but it would be safer. And Apple would still be a product-first company.

Nowadays, fake apps need to be highlighted by MR in order for Apple to take them down. I mean, it's hard to blame Apple, by the amount of apps submitted per hour, it's impossible to make a code review even on 1/100 of them, even if their reviewers were engineers.
Now, that store has become too big to even do a thorough QA session. I mean come on, how drunk must a reviewer be not to see LassPass vs LastPass, and a release vs an update?

 

[I7guy]

That's not the point though. Claiming that Apple found a crash or two during the app review absolutely misses the point of a review process.

Yes it is. Software is never 100%. This is the throw the baby out with the bathwater mentality so prevalent on MacRumors.

 

[I7guy]

To close all attack vectors one should not have any App Stores at all. Now, remember that was actually the original Apple intent. They gave up once they realized it was a stupid idea. It's time they realized that the ban on alternative app stores (and sideloading) is also a bad idea. Well, I am sure that deep inside they actually know it but profit considerations tell them otherwise.

More throw the baby out….etc or said another way, a red-herring. Profits should be part of the benchmarks of how a company proceeds. Apples sales and financials tell the story. Look at blackberry, that tells the other side of the same story.

 

[1129846]

Yes it is. Software is never 100%. This is the throw the baby out with the bathwater mentality so prevalent on MacRumors.

says the one who thinks allowing side loading is throwing the baby out which is more your claim on because because side loading might allow someone to put malicious app all side loading should be blocked.

Massive difference between ending the app store completely which is throwing the baby out with the bath water vs allowing side loading.

We all know the real reason is about greed for apple.

 

[1129846]

I mean, it's hard to blame Apple, by the amount of apps submitted per hour, it's impossible to make a code review even on 1/100 of them, even if their reviewers were engineers.

The code has never been reviewed by apple. The review process has always just been basically someone paid to poke around on the app for a few minutes to make sure it does not break any rules. Only reason bot can not do it is AI would not know where to click on a few things like entering login name and password.

Offending items can easily be turned off or time delayed to be pass Apple's monkey.

Now, that store has become too big to even do a thorough QA session. I mean come on, how drunk must a reviewer be not to see LassPass vs LastPass, and a release vs an update?

It has never been even a good QA by Apple. Honestly now it even worse. If App crashes during a review they dont hand you anything back other than it crashed. I had one app review that crashed and they said it was caused by IPv6 as it crashed when they connected it to IPv6 network. They did not had back crash logs or anything that could be useful for debugging it.

Reality found the crash logs in Fabric Crashlytics (now Firebase Chraslytics) and saw what it really was and saw it was a one off. Just had the build machines increase the build number by 1 and resubmit seeing it was a one off. Thank god we did not go down the worthless rabbit hole provided by Apple's monkey. Simple crash logs with what you were doing much more useful and Apple could do that. Zero extra work as those are generated automatically by the phone any how. It would be super helpful.

 

[makitango]

The code has never been reviewed by apple. The review process has always just been basically someone paid to poke around on the app for a few minutes to make sure it does not break any rules. Only reason bot can not do it is AI would not know where to click on a few things like entering login name and password.

Offending items can easily be turned off or time delayed to be pass Apple's monkey.

Fully aware. It is strictly to ensure that guidelines be met. Though I was under the impression that guidelines included looking for scam. Apparently this is neither part of the guidelines or simply not enforced.
I mean it's bonkers that any reviewer could not see this coming from miles away, as LastPass should be a known name for any reviewer.

It has never been even a good QA by Apple. Honestly now it even worse. If App crashes during a review they dont hand you anything back other than it crashed. I had one app review that crashed and they said it was caused by IPv6 as it crashed when they connected it to IPv6 network. They did not had back crash logs or anything that could be useful for debugging it.

It used to be different. Back in the day when each app review was $100, they really put honest work to it, but they were also paid for it so developers were also more serious about submitting apps. Nowadays, you just throw builds at the App Store and if it doesn't stick, you throw it again (and if the customer is lucky, the dev adjusted some stuff). Nowadays, no dev is scared anymore of an app being denied because they know that the review team has thousand other apps to look at, some from bigger names along the priority lane.

Reality found the crash logs in Fabric Crashlytics (now Firebase Chraslytics) and saw what it really was and saw it was a one off. Just had the build machines increase the build number by 1 and resubmit seeing it was a one off. Thank god we did not go down the worthless rabbit hole provided by Apple's monkey. Simple crash logs with what you were doing much more useful and Apple could do that. Zero extra work as those are generated automatically by the phone any how. It would be super helpful.

The crash logs are actually the one thing I keep enabled because I know how much it helps devs, with most people having it turned off because of privacy concerns.

 

[I7guy]

says the one who thinks allowing side loading is throwing the baby out which is more your claim on because because side loading might allow someone to put malicious app all side loading should be blocked.

Massive difference between ending the app store completely which is throwing the baby out with the bath water vs allowing side loading.

We all know the real reason is about greed for apple.

Is there a point to be made other than slinging some ad-Homs?

Whether this is “profit” motivated or not is not relevant. What’s relevant is if you decide to buy Apple products, you have two weeks to return them for any reason: including apple is greedy, Tim Cook doesn’t look good in tweed, you hate the shape of Apple HQ, etc.

Customers matter. Ask BlackBerry about lack of customers. Apple is doing well and customers are voting with their dollars. Nobody is forcing anybody to buy an Apple product.

 

[vipergts2207]

More throw the baby out….etc or said another way, a red-herring. Profits should be part of the benchmarks of how a company proceeds. Apples sales and financials tell the story. Look at blackberry, that tells the other side of the same story.

But I thought this was about security, not about money?

 

[I7guy]

But I thought this was about security, not about money?

Problem is people can’t make up their mind to post whatever stream of consciousness criticism of the moment. It can be about both, neither and everything.

 

[Roadstar]

Yes, scam apps can get through every now and then. But in this case the victim app is a well-known password manager from a developer whose name is one letter off from a Harry Potter character, and it gets approved? Come on Apple, you need to do way better than this if you want us even try to believe in your arguments against 3rd party app stores.

 

[vipergts2207]

Problem is people can’t make up their mind to post whatever stream of consciousness criticism of the moment. It can be about both, neither and everything.

r/SelfAwarewolves

Once in a blue moon redditors almost transform into self aware creatures. Almost. Submit posts (from anywhere) where people unknowingly describe themselves. ("what did they say about someone else that really applied to them?") NB: Memes aren't people, they can't be Selfawarewolves.

www.reddit.com

 

[I7guy]

Yes, scam apps can get through every now and then. But in this case the victim app is a well-known password manager from a developer whose name is one letter off from a Harry Potter character, and it gets approved? Come on Apple, you need to do way better than this if you want us even try to believe in your arguments against 3rd party app stores.

Switching back to the security aspect of the thread, from the greed and money aspect…not that it matters, because its done, using this one app as a way to nullify apples argument is fallacious.

 

[Abazigal]

I’m shocked by how much Apple fandom has changed since the iPhone. Pre-iPhone Apple fans were all about innovation. Today’s Apple fans celebrate corporate control, parrot whatever manipulative bs Apple feeds them, and prattle on endlessly about profits.

Maybe if the people criticising Apple haven’t been consistently wrong since I joined Macrumours in 2011 (then again, I understand their track record prior wasn’t any better), I wouldn’t have to keep speaking up in defence of Apple so much either. ¯\_(ツ)_/¯

 

[Roadstar]

Switching back to the security aspect of the thread, from the greed and money aspect…not that it matters, because its done, using this one app as a way to nullify apples argument is fallacious.

Maybe it doesn't completely nullify it, but still having a well-known app duplicated with a developer name that's a red flag in itself isn't a great look for the argument of how the App Store review keeps us all safe.