Apparently Apple allowed a fake version of the Trezor app to be distributed via the App Store - costing one user more than half a million USD in bitcoin. Aside from the dubious nature of using mobile phone apps to manage large amounts of cryptocurrency, the problem seems to be that Apple is unable to review the source code of most apps in the store. They analyze compiled binaries when reviewing apps for the store. That doesn’t seem like the most reliable method of detecting malicious payloads.
Welcome to apple’s prison. I still think the person should check reviews of a program and publisher before installing a proprietary program to manage so much money though.
In the MacRumors article, the one scammed, Phillipe Christodoulou, has this backstory:
Christodoulou wanted to check on his bitcoin balance back in February, and searched Apple’s App Store for “Trezor,” the company that makes the hardware device where he stored his cryptocurrency. He saw an app with the Trezor padlock logo and a green background, so he downloaded it and entered his credentials.
Unfortunately, the app was fake, and was designed to look like a legitimate app to fool bitcoin owners. Christodoulou had his total bitcoin balance stolen from him, and he’s angry with Apple. “Apple doesn’t deserve to get away with this,” he told The Washington Post.
Essentially a swindled victim of a phishing app, I noticed in particular that Christodoulou was angry with Apple and not the app developer, as if Christodoulou placed more trust with Apple than the app itself. That is a very disturbing revelation.
That is part of the problem with Apple checking apps and claiming that the walled prison offers security. When a bad app slips through (as happened here), Apple gets blamed.
The user would no doubt argue that he is not qualified to perform any validation on the app, so the validation performed by Apple is of some value - and he has come to rely on it.
I don’t use the Apple Store but doesn’t this kind of thing come out with digital signatures?
Relying on a logo or a branding color scheme is obviously bad. He should be, in part, angry with himself.
Why blame oneself when one can blame another?
Though I do wonder what sort of guarantee (or “guarantee”) Apple offers. Probably none, but clearly it isn’t perceived this way.