Apple didn't find it. LastPass did. It easily slipped through whatever
meager (perhaps non existent?) malware tests that Apple supposedly runs.

https://arstechnica.com/security/2024/02/a-password-manager-lastpass-calls-fraudulent-booted-from-app-store/
A password manager LastPass calls fraudulent booted from App Store

As Apple has stepped up its promotion of its App Store as a safer and more
trustworthy source of apps, its operators scrambled Thursday to correct a
major threat to that narrative: a listing that password manager maker
LastPass said was a "fraudulent app impersonating" its brand.

Somehow, Apple's app vetting process-long vaunted even though Apple has
provided few specifics-failed to spot the LastPass lookalike. Apple removed
LassPass Thursday morning, two days, LastPass said, after it flagged the
app to Apple and one day after warning its users the app was fraudulent.

"We are raising this to our customers' attention to avoid potential
confusion and/or loss of personal data," LastPass Senior Principal
Intelligence Analyst Mike Kosak wrote.

A LastPass representative said the company learned of the app on Tuesday
and focused its efforts on getting it removed rather than analyzing its
behavior. Company officials don't have information about precisely what
LassPass did when it was installed or when it first appeared in the App
Store.

Apple representatives didn't respond to an email asking questions about the
incident or its vetting process or policies.

On 2024-02-08 23:43, david wrote:
> Apple didn't find it. LastPass did. It easily slipped through whatever
> meager (perhaps non existent?) malware tests that Apple supposedly runs.
>
> https://arstechnica.com/security/2024/02/a-password-manager-lastpass-calls-fraudulent-booted-from-app-store/
> A password manager LastPass calls fraudulent booted from App Store
>
> As Apple has stepped up its promotion of its App Store as a safer and more
> trustworthy source of apps, its operators scrambled Thursday to correct a
> major threat to that narrative: a listing that password manager maker
> LastPass said was a "fraudulent app impersonating" its brand.
>
> Somehow, Apple's app vetting process-long vaunted even though Apple has
> provided few specifics-failed to spot the LastPass lookalike. Apple removed
> LassPass Thursday morning, two days, LastPass said, after it flagged the
> app to Apple and one day after warning its users the app was fraudulent.
>
> "We are raising this to our customers' attention to avoid potential
> confusion and/or loss of personal data," LastPass Senior Principal
> Intelligence Analyst Mike Kosak wrote.
>
> A LastPass representative said the company learned of the app on Tuesday
> and focused its efforts on getting it removed rather than analyzing its
> behavior. Company officials don't have information about precisely what
> LassPass did when it was installed or when it first appeared in the App
> Store.
>
> Apple representatives didn't respond to an email asking questions about the
> incident or its vetting process or policies.

Arlen...

....where does it say that this was "malware"?

Hmmm?

On 2024-02-09 02:43, david wrote:
> Apple didn't find it. LastPass did. It easily slipped through whatever
> meager (perhaps non existent?) malware tests that Apple supposedly runs.

You're miscasting what happened.

This was not malware in the usual sense - just another app that behaved
properly but potentially having a "nasty" side. The nasty side is using
a name similar to LastPass and the potential that it may have been
passing on people's sensitive date/passwords to its mothership.

When you get an app like LastPass or 1Password you are likewise putting
full faith into those developers. These two are well known, legitimate,
safe apps. (I use the latter but am weening off of it for other reasons).

An app called LassPass could theoretically be legitimate and protect
user's data ... but the attempt at a similar name is a bright red flag -
good that Apple remove it - hopefully they remove all apps from that
developer - at least until credibility is established.

When using apps with access to sensitive info, I spend a lot more time
looking for reasons to trust (or distrust) them.

--
“Markets can remain irrational longer than your can remain solvent.”
- John Maynard Keynes.

On Feb 9, 2024 at 9:02:03 AM EST, "Alan Browne" <bitbucket@blackhole.com>
wrote:

> When you get an app like LastPass or 1Password you are likewise putting
> full faith into those developers. These two are well known, legitimate,
> safe apps. (I use the latter but am weening off of it for other reasons).

I would never use any of these apps. Storing passwords online just seems
incredibly foolish to me.

My passwords look random, but they have meaning to me and are easy to
remember. I have no need for online password storage.

On 2024-02-09 12:31, Tyrone wrote:
> On Feb 9, 2024 at 9:02:03 AM EST, "Alan Browne" <bitbucket@blackhole.com>
> wrote:
>
>> When you get an app like LastPass or 1Password you are likewise putting
>> full faith into those developers. These two are well known, legitimate,
>> safe apps. (I use the latter but am weening off of it for other reasons).
>
> I would never use any of these apps. Storing passwords online just seems
> incredibly foolish to me.

As long as one guards the password to that file (and that password is
not guessable) it is perfectly safe to store it online.

In the first place it is unlikely to be stolen from the online site, and
even if it is, AES-256 encryption is too hard to break in any time less
than many multiple lifetimes of the universe.

>
> My passwords look random, but they have meaning to me and are easy to
> remember. I have no need for online password storage.

That's fine as long as they are not of trivial length and (very
importantly) are unique for every website.

I have far too many to manage that way.

--
“Markets can remain irrational longer than your can remain solvent.”
- John Maynard Keynes.

Using <news:lQtxN.354397$xHn7.233020@fx14.iad>, Alan Browne wrote:

>> I would never use any of these apps. Storing passwords online just seems
>> incredibly foolish to me.
>
> As long as one guards the password to that file (and that password is
> not guessable) it is perfectly safe to store it online.

Nobody could deny this app easily slipped through Apple's checks and nobody
could deny it took Apple too long to react (at least if you ask the people
whose rather sensitive credit card & password data was apparently already
stolen in that interim where Apple was moribund, according to LastPass).

But on the topic of whether or not it's a good idea to store your sensitive
passwords on an online database which could ask for your credit card
information, there are always going to be pros and cons to the equation.

Many love online password programs, some of which automatically enter
passwords when you attempt a login to a given company (which is nice).

Online passwords are nice for a few other reasons, one of which is you
can't lose them if you lose your device. Another reason online passwords
are nice is all your devices access them anywhere (as long as you have
Internet access anyways). There's also the advantage of automatic sync with
all your devices if you happen to have added a new password from one.

But for every pro, there's a con that has to be weighed against it.

The main negative that this malware app took advantage of by stealing
people's credit card information and their passwords (most likely) is in
the fact people are paying for the service using their credit cards and
they are using real names & real phone numbers & real addresses.

Instantly, that's crossing the red line when it comes to basic privacy and
security on the Internet.

The other red line is that you're giving one outfit all your passwords, and
that one outfit is definitely going to be targeted by every hacker out
there, including the ones whose funding is many times the net worth of
LastPass (meaning they outfund LastPass by many times over).

If there are never any holes in LastPass security, they wasted their money.
But there are always holes. You know that. So that's the second con.

Granted those two cons won't outweigh the convenience of LastPass for
millions of people who are, let's put it nicely, not technically astute.

One simple test if someone is technically astute is to ask them if they're
using "cloud storage" and if they are, ask them which one and from that
answer, you will know whether they are technically competent or not.

Most are not.

By way of comparison, the technically competent people know how to set up
their own cloud (for example NextCloud) if a cloud is what they desire.

But better yet, the most technically competent probably shun clouds
altogether by storing the passwords in an encrypted password database (such
as KeepassXC) where syncing is handled on the LAN such that the kdbx
databases are always in sync across all your devices.

If they absolutely must have access from someone else's device (say on a
library computer when they're traveling and their phone battery is dead),
they can always upload that encrypted kdbx file to any cloud server.

This is just a point of view where the pros and cons are weighted different
for each person, mostly depending on their technical abilities more than
anything else.

On 2024-02-09 10:38, david wrote:
> Using <news:lQtxN.354397$xHn7.233020@fx14.iad>, Alan Browne wrote:
>
>>> I would never use any of these apps. Storing passwords online just seems
>>> incredibly foolish to me.
>>
>> As long as one guards the password to that file (and that password is
>> not guessable) it is perfectly safe to store it online.
>
> Nobody could deny this app easily slipped through Apple's checks and
> nobody could deny it took Apple too long to react (at least if you ask
> the people whose rather sensitive credit card & password data was
> apparently already stolen in that interim where Apple was moribund,
> according to LastPass).

Why must you lie, Arlen?

From your own source:

'There’s no indication that LassPass collected users’ LastPass
credentials or copied any of the data it stored.'

>
> But on the topic of whether or not it's a good idea to store your
> sensitive passwords on an online database which could ask for your
> credit card information, there are always going to be pros and cons to
> the equation.
>
> Many love online password programs, some of which automatically enter
> passwords when you attempt a login to a given company (which is nice).
>
> Online passwords are nice for a few other reasons, one of which is you
> can't lose them if you lose your device. Another reason online passwords
> are nice is all your devices access them anywhere (as long as you have
> Internet access anyways). There's also the advantage of automatic sync
> with all your devices if you happen to have added a new password from one.
>
> But for every pro, there's a con that has to be weighed against it.
>
> The main negative that this malware app took advantage of by stealing
> people's credit card information and their passwords (most likely) is in
> the fact people are paying for the service using their credit cards and
> they are using real names & real phone numbers & real addresses.
> Instantly, that's crossing the red line when it comes to basic privacy
> and security on the Internet.

'There’s no indication that LassPass collected users’ LastPass
credentials or copied any of the data it stored. '

On 2024-02-09 07:43:34 +0000, david said:

> Apple didn't find it. LastPass did. It easily slipped through whatever
> meager (perhaps non existent?) malware tests that Apple supposedly runs.
>
> https://arstechnica.com/security/2024/02/a-password-manager-lastpass-calls-fraudulent-booted-from-app-store/
>
> A password manager LastPass calls fraudulent booted from App Store
>
> As Apple has stepped up its promotion of its App Store as a safer and more
> trustworthy source of apps, its operators scrambled Thursday to correct a
> major threat to that narrative: a listing that password manager maker
> LastPass said was a "fraudulent app impersonating" its brand.
>
> Somehow, Apple's app vetting process-long vaunted even though Apple has
> provided few specifics-failed to spot the LastPass lookalike. Apple removed
> LassPass Thursday morning, two days, LastPass said, after it flagged the
> app to Apple and one day after warning its users the app was fraudulent.
>
> "We are raising this to our customers' attention to avoid potential
> confusion and/or loss of personal data," LastPass Senior Principal
> Intelligence Analyst Mike Kosak wrote.
>
> A LastPass representative said the company learned of the app on Tuesday
> and focused its efforts on getting it removed rather than analyzing its
> behavior. Company officials don't have information about precisely what
> LassPass did when it was installed or when it first appeared in the App
> Store.
>
> Apple representatives didn't respond to an email asking questions about the
> incident or its vetting process or policies.

I have yet to see anywhere that says the fake app does anything
actually wrong, as in bein "malware". Even the LastPass developers say
above that they haven't bothered to see what it does.

At worst, it's just a knock-off app using a similar name to potentially
trick people into getting it by mistake. There are hundreds of
knock-off apps that copy someone else's idea on the Apple App Store and
thousands on the Google Play store.

Yet another storm in a thimble being over-exaggerated by the anti-Apple
nutters and teh lazy news media. :-\

Your Name wrote:
> On 2024-02-09 07:43:34 +0000, david said:
>
>> Apple didn't find it. LastPass did. It easily slipped through
>> whatever meager (perhaps non existent?) malware tests that
>> Apple supposedly runs.
>>
>> https://arstechnica.com/security/2024/02/a-password-manager-lastpass-calls-fraudulent-booted-from-app-store/
>>
>> A password manager LastPass calls fraudulent booted from App
>> Store
>>
>> As Apple has stepped up its promotion of its App Store as a
>> safer and more
>> trustworthy source of apps, its operators scrambled Thursday
>> to correct a
>> major threat to that narrative: a listing that password
>> manager maker
>> LastPass said was a "fraudulent app impersonating" its brand.
>>
>> Somehow, Apple's app vetting process-long vaunted even though
>> Apple has
>> provided few specifics-failed to spot the LastPass lookalike.
>> Apple removed
>> LassPass Thursday morning, two days, LastPass said, after it
>> flagged the
>> app to Apple and one day after warning its users the app was
>> fraudulent.
>>
>> "We are raising this to our customers' attention to avoid
>> potential
>> confusion and/or loss of personal data," LastPass Senior
>> Principal
>> Intelligence Analyst Mike Kosak wrote.
>>
>> A LastPass representative said the company learned of the app
>> on Tuesday
>> and focused its efforts on getting it removed rather than
>> analyzing its
>> behavior. Company officials don't have information about
>> precisely what
>> LassPass did when it was installed or when it first appeared
>> in the App
>> Store.
>>
>> Apple representatives didn't respond to an email asking
>> questions about the
>> incident or its vetting process or policies.
>
> I have yet to see anywhere that says the fake app does anything
> actually wrong, as in bein "malware". Even the LastPass
> developers say above that they haven't bothered to see what it
> does.
>
> At worst, it's just a knock-off app using a similar name to
> potentially trick people into getting it by mistake. There are
> hundreds of knock-off apps that copy someone else's idea on the
> Apple App Store and thousands on the Google Play store.
>
> Yet another storm in a thimble being over-exaggerated by the
> anti-Apple nutters and teh lazy news media.  :-\
>

Some people are just really mean to poor old apple. It's the
most mistreated company in history. Everybody sues them! For
minor stuff, and apple NEVER sues anybody else, and never tries
to ...

Your Name wrote:
> On 2024-02-09 07:43:34 +0000, david said:
>
>> Apple didn't find it. LastPass did. It easily slipped through
>> whatever meager (perhaps non existent?) malware tests that
>> Apple supposedly runs.
>>
>> https://arstechnica.com/security/2024/02/a-password-manager-lastpass-calls-fraudulent-booted-from-app-store/
>>
>> A password manager LastPass calls fraudulent booted from App
>> Store
>>
>> As Apple has stepped up its promotion of its App Store as a
>> safer and more
>> trustworthy source of apps, its operators scrambled Thursday
>> to correct a
>> major threat to that narrative: a listing that password
>> manager maker
>> LastPass said was a "fraudulent app impersonating" its brand.
>>
>> Somehow, Apple's app vetting process-long vaunted even though
>> Apple has
>> provided few specifics-failed to spot the LastPass lookalike.
>> Apple removed
>> LassPass Thursday morning, two days, LastPass said, after it
>> flagged the
>> app to Apple and one day after warning its users the app was
>> fraudulent.
>>
>> "We are raising this to our customers' attention to avoid
>> potential
>> confusion and/or loss of personal data," LastPass Senior
>> Principal
>> Intelligence Analyst Mike Kosak wrote.
>>
>> A LastPass representative said the company learned of the app
>> on Tuesday
>> and focused its efforts on getting it removed rather than
>> analyzing its
>> behavior. Company officials don't have information about
>> precisely what
>> LassPass did when it was installed or when it first appeared
>> in the App
>> Store.
>>
>> Apple representatives didn't respond to an email asking
>> questions about the
>> incident or its vetting process or policies.
>
> I have yet to see anywhere that says the fake app does anything
> actually wrong, as in bein "malware". Even the LastPass
> developers say above that they haven't bothered to see what it
> does.
>
> At worst, it's just a knock-off app using a similar name to
> potentially trick people into getting it by mistake. There are
> hundreds of knock-off apps that copy someone else's idea on the
> Apple App Store and thousands on the Google Play store.
>
> Yet another storm in a thimble being over-exaggerated by the
> anti-Apple nutters and teh lazy news media.  :-\
>

Maybe you're right. After all, the apple app store contains
mostly rubbish anyway. At best, you're downloading harmless,
but flakey shit. Useful programs are few and far between,
though there are some worth keeping, and even paying for.

On Fri, 9 Feb 2024 17:31:38 -0600, Hank Rogers wrote:

>> Yet another storm in a thimble being over-exaggerated by the
>> anti-Apple nutters and teh lazy news media.� :-\
>>
>
> Maybe you're right. After all, the apple app store contains
> mostly rubbish anyway. At best, you're downloading harmless,
> but flakey shit. Useful programs are few and far between,
> though there are some worth keeping, and even paying for.

The fact it happened is the proof of Apple's hollow boasts of security.
In addition to the fact Apple didn't even notice it.
And that it took days fro Apple jut to figure out what had happened.
Even after being told exactly what had happened.
From reliable sources.

The Apple propagandists want to minimize that Apple *removed* the app,
which even those apostles of the Apple-can-do-no-wrong evangelism can't
deny that it was (the real) LastPass who had to get Apple to remove it.

What it shows is Apple's gasconades about vetting apps are a hollow shell.
The fact is obvious Apple doesn't test apps at all for fraudulent malware.

On 2024-02-10 02:22:45 +0000, Oscar Mayer said:
> On Fri, 9 Feb 2024 17:31:38 -0600, Hank Rogers wrote:
>>>
>>> Yet another storm in a thimble being over-exaggerated by the anti-Apple
>>> nutters and teh lazy news media.  :-\
>>
>> Maybe you're right. After all, the apple app store contains mostly
>> rubbish anyway. At best, you're downloading harmless, but flakey shit.
>> Useful programs are few and far between, though there are some worth
>> keeping, and even paying for.
>
> The fact it happened is the proof of Apple's hollow boasts of security.

What happened?? Some lazy developer created a copy-cat app ... that's
got absolutely nothing to do with "security".

Until someone finds out whether or not the app actually does something
nasty, it's just the usual massive load of over-hyped bukllshit by the
anti-Apple nutters.

> In addition to the fact Apple didn't even notice it. And that it took
> days fro Apple jut to figure out what had happened. Even after being
> told exactly what had happened. From reliable sources.

There are hundreds of copy-cat apps on the Apple App Store.
There are *thousands* of copy-cat apps on teh Google Play Store.

There will always be lazy developers who try to cash in on someone
else's idea. (Not just app developers either - just lok at all the
copy-cat TV shows, movies, and books that get made!)

> The Apple propagandists want to minimize that Apple *removed* the app,
> which even those apostles of the Apple-can-do-no-wrong evangelism can't
> deny that it was (the real) LastPass who had to get Apple to remove it.
>
> What it shows is Apple's gasconades about vetting apps are a hollow shell.
> The fact is obvious Apple doesn't test apps at all for fraudulent malware.

And another braindead anti-Apple cretin joins the killfile.

On 2024-02-09 18:22, Oscar Mayer wrote:
> On Fri, 9 Feb 2024 17:31:38 -0600, Hank Rogers wrote:
>
>>> Yet another storm in a thimble being over-exaggerated by the
>>> anti-Apple nutters and teh lazy news media.� :-\
>>>
>>
>> Maybe you're right. After all, the apple app store contains mostly
>> rubbish anyway. At best, you're downloading harmless, but flakey shit.
>> Useful programs are few and far between, though there are some worth
>> keeping, and even paying for.
>
> The fact it happened is the proof of Apple's hollow boasts of security.

No...

....it really isn't...

....Arlen.

> In addition to the fact Apple didn't even notice it.
> And that it took days fro Apple jut to figure out what had happened.
> Even after being told exactly what had happened.
> From reliable sources.
>
> The Apple propagandists want to minimize that Apple *removed* the app,
> which even those apostles of the Apple-can-do-no-wrong evangelism can't
> deny that it was (the real) LastPass who had to get Apple to remove it.
>
> What it shows is Apple's gasconades about vetting apps are a hollow shell.
> The fact is obvious Apple doesn't test apps at all for fraudulent malware.

This has literally nothing to do with malware...

....Arlen.

Your Name wrote:
> On 2024-02-10 02:22:45 +0000, Oscar Mayer said:
>> On Fri, 9 Feb 2024 17:31:38 -0600, Hank Rogers wrote:
>>>>
>>>> Yet another storm in a thimble being over-exaggerated by
>>>> the anti-Apple nutters and teh lazy news media.  :-\
>>>
>>> Maybe you're right. After all, the apple app store contains
>>> mostly rubbish anyway. At best, you're downloading harmless,
>>> but flakey shit. Useful programs are few and far between,
>>> though there are some worth keeping, and even paying for.
>>
>> The fact it happened is the proof of Apple's hollow boasts of
>> security.
>
> What happened?? Some lazy developer created a copy-cat app ...
> that's got absolutely nothing to do with "security".
>
> Until someone finds out whether or not the app actually does
> something nasty, it's just the usual massive load of over-hyped
> bukllshit by the anti-Apple nutters.
>
>
>
>> In addition to the fact Apple didn't even notice it. And that
>> it took days fro Apple jut to figure out what had happened.
>> Even after being told exactly what had happened. From
>> reliable sources.
>
> There are hundreds of copy-cat apps on the Apple App Store.
> There are *thousands* of copy-cat apps on teh Google Play Store.
>
> There will always be lazy developers who try to cash in on
> someone else's idea. (Not just app developers either - just lok
> at all the copy-cat TV shows, movies, and books that get made!)
>
>
>
>> The Apple propagandists want to minimize that Apple *removed*
>> the app,
>> which even those apostles of the Apple-can-do-no-wrong
>> evangelism can't
>> deny that it was (the real) LastPass who had to get Apple to
>> remove it.
>>
>> What it shows is Apple's gasconades about vetting apps are a
>> hollow shell.
>> The fact is obvious Apple doesn't test apps at all for
>> fraudulent malware.
>
> And another braindead anti-Apple cretin joins the killfile.
>

Good for you. Kill 'em all.

On 2/9/2024 11:15 PM, Hank Rogers wrote:

>> And another braindead anti-Apple cretin joins the killfile.
>>
>
> Good for you. Kill 'em all.

It's about Apple boasting that they check for malware when it's clear that
Apple never once checked for fraudulent malware (which is likely rampant).

That this got through Apple's "tests" shows what a sham Apple's tests are.

On 2024-02-09 21:02, Larry Wolff wrote:
> On 2/9/2024 11:15 PM, Hank Rogers wrote:
>
>>> And another braindead anti-Apple cretin joins the killfile.
>>>
>>
>> Good for you. Kill 'em all.
>
> It's about Apple boasting that they check for malware when it's clear that
> Apple never once checked for fraudulent malware (which is likely rampant).
>
> That this got through Apple's "tests" shows what a sham Apple's tests are.

Not discovering that an app is trying to pretend to be another app has
literally NOTHING to do with checking for malware.

On 2024-02-10, Larry Wolff <larrywolff@larrywolff.net> wrote:
> On 2/9/2024 11:15 PM, Hank Rogers wrote:
>
>>> And another braindead anti-Apple cretin joins the killfile.
>>
>> Good for you. Kill 'em all.
>
> It's about Apple boasting that they check for malware when it's clear
> that

This app isn't malware. All you loser trolls have are lies.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On 2024-02-09 13:38, david wrote:
> Using <news:lQtxN.354397$xHn7.233020@fx14.iad>, Alan Browne wrote:
>
>>> I would never use any of these apps. Storing passwords online just seems
>>> incredibly foolish to me.
>>
>> As long as one guards the password to that file (and that password is
>> not guessable) it is perfectly safe to store it online.
>
> Nobody could deny this app easily slipped through Apple's checks and
> nobody could deny it took Apple too long to react (at least if you ask

Again you don't understand what happened. No surprise.

--
“Markets can remain irrational longer than your can remain solvent.”
- John Maynard Keynes.

On 2024-02-09 21:22, Oscar Mayer wrote:
> On Fri, 9 Feb 2024 17:31:38 -0600, Hank Rogers wrote:
>
>>> Yet another storm in a thimble being over-exaggerated by the
>>> anti-Apple nutters and teh lazy news media.� :-\
>>>
>>
>> Maybe you're right. After all, the apple app store contains mostly
>> rubbish anyway. At best, you're downloading harmless, but flakey shit.
>> Useful programs are few and far between, though there are some worth
>> keeping, and even paying for.
>
> The fact it happened is the proof of Apple's hollow boasts of security.
> In addition to the fact Apple didn't even notice it.
> And that it took days fro Apple jut to figure out what had happened.
> Even after being told exactly what had happened.
> From reliable sources.
>
> The Apple propagandists want to minimize that Apple *removed* the app,
> which even those apostles of the Apple-can-do-no-wrong evangelism can't
> deny that it was (the real) LastPass who had to get Apple to remove it.

You're another one who doesn't get it and is breathlessly piling on
Apple in the typical mindless manner of your ilk.

The app in question would pass all of the Apple "checks" as it is not
designed as malware per se, but as an imposter - social engineering to
be more clear.

This is a security issue only because the imposter co. has no earned
credibility. So the app will behave correctly, but you have no idea if
the app is actually not giving up the data to the creator of the product.

LastPass and 1Password have earned trust in this domain. Otherwise they
are no more "safer" than the imposter co. except by earned reputation:
they do not "look into" the data they guard for you. (Claimed and not
found to be not so).

For every app on the app store there are a few to a few dozen similar
apps with similar names and similar logos. They are "good" in the sense
they meet Apple's security requirements. This imposter app is no
different. We just don't know if, "under the hood" it is violating the
trust that such apps (password managers) require.

--
“Markets can remain irrational longer than your can remain solvent.”
- John Maynard Keynes.

Using <news:kqLxN.280713$Ama9.98273@fx12.iad>, Alan Browne wrote:

>> Nobody could deny this app easily slipped through Apple's checks and
>> nobody could deny it took Apple too long to react (at least if you ask
>
> Again you don't understand what happened. No surprise.

What do you disagree with of my understanding based on the reports?

1. *Apple pulled it* after LastPass asked them to remove it.
2. Apple took a few days and then fully *agreed* with LastPass.
2. LastPass clearly publicly says it's *fraudulent malware*.

Which do you dispute and what is your basis for that dispute?

Using <news:sSLxN.84694$GX69.51323@fx46.iad>, Alan Browne wrote:

> The app in question would pass all of the Apple "checks" as it is not
> designed as malware per se, but as an imposter - social engineering to
> be more clear.

You're trying to excuse why you don't like what happened.
Without understanding what happened.

Apple removed it.
Because it didn't meet Apple's requirements.

You don't like that Apple removed it, but that's what Apple did.
You don't like why Apple removed it perhaps, but Apple removed it.

What this shows is what you don't like.
It clearly and very publicly shows that Apple's boasts are hollow.

> This is a security issue only because the imposter co. has no earned
> credibility. So the app will behave correctly, but you have no idea if
> the app is actually not giving up the data to the creator of the product.

The fact Apple *removed* it (after testing it) is all you need to know.

That means it failed Apple's requirements.
Only Apple didn't even know it.
Until Apple was told about it.

Which means Apple didn't check for it meeting their requirements.
Apple's boasts are hollow.

> LastPass and 1Password have earned trust in this domain. Otherwise they
> are no more "safer" than the imposter co. except by earned reputation:
> they do not "look into" the data they guard for you. (Claimed and not
> found to be not so).

Absolutely.
Apple doesn't bother to check what you call "trust" for any app.
Apple's boasts are hollow.

> For every app on the app store there are a few to a few dozen similar
> apps with similar names and similar logos. They are "good" in the sense
> they meet Apple's security requirements.

Apple removed it on the request of LastPass.
That means it failed Apple's requirements.
That this happened after the fact shows Apple's boasts are hollow.

> This imposter app is no
> different. We just don't know if, "under the hood" it is violating the
> trust that such apps (password managers) require.

What it shows, by the fact Apple removed it after LastPass notified Apple
of the app, and after Apple took two days to investigate it, is that it
slipped by what you call 'trust' and that means plenty of others did too.

That it happened shows Apple's boasts are hollow.

Using <news:l2ofkiFg2ogU1@mid.individual.net>, Jolly Roger wrote:

>> It's about Apple boasting that they check for malware when it's clear
>> that
>
> This app isn't malware.

LastPass called it "Fraudulent Malware" and Apple subsequently removed it.
After testing it for two days (according to the reports).

So what's clear is it didn't meet Apple's requirements.
And yet, it was there. Which likely indicates plenty of others are also.

That it happened clearly shows Apple's boasts are hollow.
That's what you don't like.

And you shouldn't like it.
Blame Apple. Not LastPass.

All LastPass did was inform Apple the app passed Apple's checks and yet the
app clearly does not meet Apple's boastful requirements.

Otherwise, Apple wouldn't have removed it after investigating it for days.

On 2024-02-10 14:54, david wrote:
> Using <news:kqLxN.280713$Ama9.98273@fx12.iad>, Alan Browne wrote:
>
>>> Nobody could deny this app easily slipped through Apple's checks and
>>> nobody could deny it took Apple too long to react (at least if you ask
>>
>> Again you don't understand what happened.  No surprise.
>
> What do you disagree with of my understanding based on the reports?
>
> 1. *Apple pulled it* after LastPass asked them to remove it.
> 2. Apple took a few days and then fully *agreed* with LastPass.
> 2. LastPass clearly publicly says it's *fraudulent malware*.
>
> Which do you dispute and what is your basis for that dispute?

You said it passed through Apple's checks. Quite right. Of course it
did, because it was not malware per se. It is imposter ware, perhaps,
and there is no way Apple could control for that.

Lastpass did __not__ say the imposter was malware, by the way.

As explained elsewhere, when one trusts Lastpass or 1Password to be a
password locker manager, one is putting full faith in their reputations
- fact is, if they wanted, they could be sucking all the data out of
your "locker" along with the decrypt key and use it maliciously.

Fortunately they have instead earned the trust of millions of users to
use their products as reliable purpose made apps.

As to the imposter ware, it is malware free as far as anyone knows, but
nobody has tested it sufficiently to see if it is trustworthy.

Now I expect the above is confusing to you, because you are what you are.

--
“Markets can remain irrational longer than your can remain solvent.”
- John Maynard Keynes.

On 2024-02-10 15:05, david wrote:
> Using <news:sSLxN.84694$GX69.51323@fx46.iad>, Alan Browne wrote:
>
>> The app in question would pass all of the Apple "checks" as it is not
>> designed as malware per se, but as an imposter - social engineering to
>> be more clear.
>
> You're trying to excuse why you don't like what happened.
> Without understanding what happened.
>
> Apple removed it. Because it didn't meet Apple's requirements.

Because LastPass protested over the imposter ware attempting to pass it
off as a LastPass product.

No indication that it was malware. It certainly didn't trip Apple's
malware detection algorithms.

And Lastpass seem to state they don't know if the imposter was in fact
malicious.

Balance of your circular head amusement snipped.

--
“Markets can remain irrational longer than your can remain solvent.”
- John Maynard Keynes.

On 2024-02-10 15:09, david wrote:
> Using <news:l2ofkiFg2ogU1@mid.individual.net>, Jolly Roger wrote:
>
>>> It's about Apple boasting that they check for malware when it's clear
>>> that
>>
>> This app isn't malware.
>
> LastPass called it "Fraudulent Malware" and Apple subsequently removed it.
> After testing it for two days (according to the reports).

Please link to the "reports" you're citing.

--
“Markets can remain irrational longer than your can remain solvent.”
- John Maynard Keynes.