Fake Password Manager Found on Apple’s AppStore

The number of passwords a person requires to go about a normal life continues to proliferate. The varying requirements of each site – numbers, capitals, symbols – makes it more and more difficult to remember each one.

Moreover, repeating passwords makes you vulnerable to identity theft. In 2022, some 24 billion passwords were exposed in data breaches worldwide.

That’s why most security experts these days recommend using a password manager. Using a secure, unique password – ideally, a long string of words that’s easy for you to remember – can keep all your daily logins safe.

Fake Password Manager Enters Apple App Store

The natural next step in the security arms race is for hackers is to try and breach password managers themselves. By and large, however, this is very difficult. Best practice for password manager apps or software is to encrypt your passwords before they leave your device and “travel” to the cloud to be archived.

To get around these security measures, a developer using the name Parvati Patel created a password manager that imitates a well-known app. Calling it LassPass (instead of LastPass), the app was listed on Apple’s app store from 21 January until being removed last week.

Last week, LastPass stated that they were “actively working to get this application taken down as soon as possible, and will continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property”.

The scandal is a bad look for Apple at a time when it is lobbying against further regulation in European markets. 

The AppStore itself is currently in EU regulators’ sights. Apple charges a 30% rent on iPhone app revenues and blocks iPhone users from using any other app store.

Apple argues any regulation requiring it to remove its block on third-party app stores on the iPhone would compromise digital security. The LassPass scandal suggests the argument is a front for rent-seeking behaviour.

This isn’t the first security issue faced by LastPass. In August 2022, the company’s servers were accessed leading to theft of user account information and meta-data, though not necessarily compromising the encrypted passwords themselves.

In a similar case, last September an imitator of open-source password manager BitWarden was discovered. Users were fooled by a website, BitWariden[dot]com, which collected users’ passwords and other information from their device.

Article image courtesy of @sigmund via Unsplash.

Sign Up To Our Free Newsletter