Breadwallet LLC, a bitcoin wallet, posted on Reddit.com that multiple fake bitcoin wallets were in the Apple Apps store stealing users funds or worse. The fake apps had portions of legitimate source code, icons, and graphics from legitimate apps that were on Google Play – all to fool users into thinking they were using official wallets.
It identified the following (links disabled) and Apple promptly checked and removed the offenders – but there may be more.
- GreenAddress – Bitcoin Wallet https://itunes.apple.com/us/app/greenaddress-bitcoin-wallet/id1139753685?mt=8
- Simple Bitcoin Wallet https://itunes.apple.com/us/app/simple-bitcoin-wallet/id1138700421?mt=8
- Simple Bitcoin Wallet https://itunes.apple.com/us/app/simple-bitcoin-wallet/id1140433170?mt=8
- GreenBits Bitcoin Wallet https://itunes.apple.com/us/app/greenbits-bitcoin-wallet/id1138675915?mt=8
- Bitcoin Wallet https://itunes.apple.com/us/app/bitcoin-wallet/id1137555856?mt=8
- Bitcoin Armory Wallet – Bitcoin offline wallet https://itunes.apple.com/us/app/bitcoin-armory-wallet-bitcoin/id1139569125?mt=8
- Blockchain – Offline Bitcoin Wallet https://itunes.apple.com/us/app/blockchain-offline-bitcoin/id1140411956?mt=8
- BitcoinCore – Bitcoin Wallet https://itunes.apple.com/us/app/bitcoincore-bitcoin-wallet/id1140170409?mt=8
The Reddit comments were full of incredulous people decrying the trust they had placed in Apple’s App store. “I thought they had a decent vetting process,” said one. To which another responded, “Had is the past tense.”
The App store is supposed to be 100% safe. Its vetting process has come under criticism, as you can drive a truck through everything from the way it reduces competition to its apps to security vetting.
One writer said (paraphrased to remove duplication):
In the early day’s apps were rejected for duplicating Apple’s existing functionality – nothing in the store could directly compete e.g. Google Maps fiasco where Apple had removed the default Maps in favour of Apple Maps.
It claims, and we believe that it catches security-related issues, but it falls far short. Without a full code review, Apple cannot address more than the obvious security concerns. Fake apps are a big issue, and it missed these by a mile.
“For a long time, it seemed as though Apple’s tight controls over its ecosystem were a fairly impenetrable measure against nefarious applications, malware, and junk,” John Casaretto, founder of BlackCert, a SSL security certificate company, told SiliconANGLE.
“Clearly, that is not the case anymore and in an instant, the Application Development Signing Certificates, the Apple Developer Program, and the application review process are all negated by a handful of malicious apps that have made their way through. It goes to show that assumptions can get people in trouble, especially when a financial target such as Bitcoin is involved. The best practice is to stick to the source and official apps to stay on the safe side.”
Remember that Apple is the sole arbiter of what goes on the app store. Nothing hits the store without its approval. The buck has to stop there.