Bitcoin Scam App Approved by Apple Robs iPhone User of $600,000+

[quarkysg]

Oh dear. I’m sorry but you really don’t have a clue on how these things work. That is the purpose of a recovery seed. If it couldn’t do that then how would you deal with hardware failure, a fire?, a flood? Etc.

My assumption is that the wallet regeneration algorithm from the seeds should be known only to Trezor for Trezor's devices. I don't know if there's a standard for this seed -> wallet transformation tho.

You're right in that I don't really know how a hardware e-wallet works. I just know how the blockchain works.

 

[cyb3rdud3]

The last 40 years have shown that "trickle down" economics is a fairy story and it is incredible that people still believe in it. It like the free market - it doesn't work and has never worked.

The real issue is that there is no free market, governments keep interfering in them and creating imbalance with the intention to remove imbalance.

I dont care, Apple says the store apps is pre-approved they should be held accountable. If this guy downloaded off the net then its not their fault.

I'm sorry but you don't seem to understand the actual issue here. Even if it was a legit application and not trying to fake it, the action the guy undertook should never take place on a mobile device. That is not Apple's fault to guard against such basics of someone else product.

No, I am not assuming they should be perfect and neither want them to be, since that is always a pursuit, never to be attained.

What I am saying, again, is that this is pretty basic thing to test out in an app when submitted - that it does what it claims to do and it is not a malicious app. That is all I am saying, and yes, this most basic check is unforgivable. Every other check builds on this most basic check when it comes to user safety.

This check could have passed all those checks. And there is nothing illegit about it. Sharing recovery keys like that is just stupidity of the first order. That is not Apple's or any other companies fault. The product that he uses clearly states that you shouldn't do that. Heck you should store it in parts off-site and well protected. Don't let anyone have the full seed.

 

[cyb3rdud3]

My assumption is that the wallet regeneration algorithm from the seeds should be known only to Trezor for Trezor's devices. I don't know if there's a standard for this seed -> wallet transformation tho.

You're right in that I don't really know how a hardware e-wallet works. I just know how the blockchain works.

Let's think of the most logical and simplistic scenario; if someone types in the recovery seed in an app or online portal. They don't have to there and then unlock it and gain access. They just need to capture and enter those recovery seed phrases in their own trezor device or any other such device...They don't cost much, you can buy them from Amazon. Heck it is a good idea to have a few anyway...

 

[wanha]

This is not good. Regardless of the app or purpose, the whole point of App store is meant to be security and garden walled approach. 30% commission and we still get scammers? Not good for customers at all

Exactly. You'd think after taking 30% and promoting the safety of the App Store that Apple would own up to their share of the blame here. But nope.

Very disappointing.

 

[cyb3rdud3]

Exactly. You'd think after taking 30% and promoting the safety of the App Store that Apple would own up to their share of the blame here. But nope.

Very disappointing.

In your haste to feel disappointed do you actually understand and realise what is happening in this scenario? And when you do, do you still find it disappointing that Apple didn't block this?

 

[Abazigal]

Exactly. You'd think after taking 30% and promoting the safety of the App Store that Apple would own up to their share of the blame here. But nope.

Very disappointing.

https://twitter.com/x/status/1377357365226442759

Let’s see if Apple has any recourse here. But then it’s Bitcoin, so many the money is as good S gone as well.

 

[lukecaan]

Believe it or not, it really doesn't matter what your opinion of bitcoin is, Apple shouldn't have approved a scam bitcoin wallet app, especially when they claim that the whole reason they charge 30% fees on apps' revenues and keep the closed ecosystem is to do things like keep the app store safe. Apple screwed up and they should reimburse anyone who lost their assets through that app.

 

[gnasher729]

What is your logic? If you get phished in an email pretenting to be your bank you don't get to sue your email provider....

Your email provider and the maker of you email app.

 

[gnasher729]

Just like a car maker can not be blamed if you locked your car up and the thief managed to still steal it, as long as reasonable measures were taken to protect it.

Let’s say it was really the car manufacturers fault. Now two cases: You left your wallet with $100 in the car and it’s gone. Should the manufacturer pay? Or you left a case with $600,000 of diamonds in your car and it’s gone. Should the car maker pay? It’s kind of reasonable to trust your car locks to protect your $100 wallet, but not to trust them to protect $600,000 worth of stuff.

Apple limits its liability to money back + $100.

 

[gnasher729]

There have been two cases of companies selling messaging software mostly to criminals, under the assumption that failure could create very high damage (like years of jail time). Both companies charged about $3,000 a year. If you want to protect against huge damages, your supplier must agree to that and it will cost you.

(The fact that it was criminals doesn’t really matter; it was people trying to protect themselves from major damage. The fact that _both_ companies told “customers” that iPhones were not safe enough, and both were _completely_ hacked by the police doesn’t matter for this discussion either, but it’s funny).

 

[Stephen.R]

Apple shouldn't have approved a scam bitcoin wallet app

Just as well they didn't then, huh?

 

[I7guy]

Believe it or not, it really doesn't matter what your opinion of bitcoin is, Apple shouldn't have approved a scam bitcoin wallet app, especially when they claim that the whole reason they charge 30% fees on apps' revenues and keep the closed ecosystem is to do things like keep the app store safe. Apple screwed up and they should reimburse anyone who lost their assets through that app.

So are you suggesting if Apple didn't charge 30% fees, it would be okay, fine and dandy if there were scam apps in the app store? That is the only way to interpret the above.

 

[obeliq]

Apple can check if an app uses a key logger to capture usernames and passwords from another app, it can check if it secretly takes pictures hoping to capture confidential information. It can see if it secretly records audio in the background.

Apple can give you safari which is a perfectly acceptable ‘safe’ app. You can then go to a fake banking site and enter your details and get your account cleaned out. Would that be their fault too?

You could tweet out your social security number by accidentally pasting it when you had used it earlier for another legitimate reason. Twitter is a ‘safe’ app.

In the scenario we have here, Apple might not even be aware of what the company named used by the app does or makes. If the app doesn’t use any non approved library calls or try to break the sandbox to steal data from your phone it is technically ‘safe’ according to App Store guidelines. If a trademark holder complains about it or user feedback draws attention to it for other reasons it can be investigated and removed. The mostly automated process which checks for hidden/nefarious or undocumented code wouldn’t flag this type of issue. This guy got phished. It could have happened in a web browser.

Apple is making sure that if I download the app and run it, my phone will not be compromised and any data unrelated to the app will not be exposed to it without allowing me to authorize access.

It absolutely cannot guarantee that my interactions with the app can cause me no harm.

 

[Bawstun]

Real banks and financial institutions have protections in place to reduce the occurrence of these scams, or at the very least give a hope of getting the money back. With cryptocurrency there is no such hope.

This is another example of why cryptocurrency is a bad thing, on top of being bad for the environment.

You have no idea what you are talking about.

 

[Bawstun]

People need to stop messing around with cryptocrap. it's such a plague causing all kinds of problems. Almost every scam/malware/ransomware uses a bitcoin address of sort

Crypto is the future of finance, healthcare, contracts - everything. It isn’t going away. New York’s newest COVID-19 Vaccine passport runs on blockchain, for instance. Designed by IBM.

 

[Bawstun]

Imagine thinking that your phone maker was responsible for you spending real money on fake internet Monopoly money... and your own stupidity in not checking the legitimacy of an app that falls into a category that said phone maker is known to disallow on it's service.

Imagine thinking Bitcoin is fake money.

 

[Manzanito]

I mean, the word resistant isn't the same as immune or proof right? It is still an English word yes? I say this with some banter, because I don't think anything should be advertised with footnotes, but I mean, the word used is resistant, so someone may need to use a dictionary... le sigh, and then I looked it up and am at a loss that the dictionary tied the word to similar words like impervious. It's not until you look at the parent word, resistance that it becomes obvious it's not total, but partial and shouldn't be compared to immunity or imperviousness.

I won’t go into a debate of english words’ meanings, it’s not my language and I would be at a disadvantage.

Apple does however assign an IP rating of 68. Those numbers have a clear meaning too, and are not up to interpretation. If they’re not willing to cover the damages, they shouldn’t advertise it as a feature. It’s just my opinion, others differ and that’s fine. I won’t further derail the conversation, which was about the guy who thought it was a good idea to deposit his life savings on an app with a cool logo.

 

[cyb3rdud3]

So Apple owes this person 17.1 bitcoins then since it was Apple's fault the app got through.

That's the logic and reasoning the group of pro only Apple app store / anti-3rd party app store people use.

"If you get an app outside of the app store and something bad happens, don't blame Apple for it because you strayed outside of the walled garden. Deal with the 3rd party app store or developer/website you got the app from."

Well, this person got the app from Apple. Apple should take the rap since they had control over this.

The app didn't do anything bad

The guy could have used safari to submit his recovery seed anywhere. No hardware wallet user should put their seed anywhere ever other then in the hardware device and then only to recreate it after a catastrophic failure. Heck the guy should have gone past a minimum of three offsite locations to get the various parts of that key together before entering it anywhere.

 

[cyb3rdud3]

It’s not about prevention, it’s about accountability. If the guy had downloaded the app from a third party (like a website or another App Store), then Apple would have nothing to do with this, but because the app was reviewed and approved by Apple itself, it makes it responsible. You could say that Apple allowed a scammer to scam its users the moment it approved it. If Apple is going to play the “privacy/security card” it should be held accountable when things like this happen.

Ok, let's play along. Say you use a password manager, should one be able to enter a recovery seed phrase in there? Or what about a text message? What about an email? To me this is as someone else put it eloquently before, it is about protecting the device and unknowing data capture and leakage, or about stealing the users data. This isn't really about preventing users from every possibly eventuality and stupidity. After all these are just ordinary readable strings of text. Even the manufacturer of the device involved tells the users not to do that...

 

[Ubuntu]

I can’t wait to see how fanboys will defend Apple

This does prove that the AppStore is not the gateway of security that many claim it to be. That said, in the review team’s defends it’s hard to review something that changes after the fact - many companies use such remote configuration (like mine).

I do feel that apple is responsible here though as that “the App Store protects users” message goes both ways here.

 

[I7guy]

This does prove that the AppStore is not the gateway of security that many claim it to be.[...]

I think what this more proves, is that if someone wants to scam a person there is a way. Saying this proves that app store is not the "gateway of security that many claim" is part truth and part hyperbole. Because I never heard it claimed that 100% of all apps in the app store are free from: scamware, malware, spyware, trojanware, etc.

 

[cyb3rdud3]

I think what this more proves, is that if someone wants to scam a person there is a way. Saying this proves that app store is not the "gateway of security that many claim" is part truth and part hyperbole. Because I never heard it claimed that 100% of all apps in the app store are free from: scamware, malware, spyware, trojanware, etc.

Indeed, and what seems to have happened here is that the app didn't include any of that. All it had to do was provide a text field input for a user to submit details they really shouldn't submit anywhere other than on their hardware device...

 

[Ubuntu]

I think what this more proves, is that if someone wants to scam a person there is a way. Saying this proves that app store is not the "gateway of security that many claim" is part truth and part hyperbole. Because I never heard it claimed that 100% of all apps in the app store are free from: scamware, malware, spyware, trojanware, etc.

I’d consider it an absolute truth personally, because I often hear people talk about the App Store like it’s the bastion protecting us all from evil and giving the user other options would be far too risky, apparently. But I respect your point.

 

[skinned66]

https://twitter.com/x/status/1377357365226442759

Let’s see if Apple has any recourse here. But then it’s Bitcoin, so many the money is as good S gone as well.

I don't think they do. I don't see how they can withhold or refund currencies they do not deal with. IMO those terms only apply to money that runs through their payment systems and APIs even though not explicitly stated. It seems obvious to me anyway. I don't see how they can verify any of this - and it's not like they'll reimburse in Bitcoin - even if they do.

Also, what if this dev cert was stolen? Is the dev on the hook?

 

[Maximara]

All I am claiming is that there is plenty of evidence that market and competition lower prices.

That is why AAA video games are so much cheaper and have buckets loads of loot boxes...oh wait a minute that is the opposite of lower prices. This is the same BS argument used to justify not having socialized medicine here in the US.

That’s why we have all those anti-monopoly laws. These are facts. Saying that this logic is baseless clearly shows your bias and refusal to deal with arguments.

The logic is akin to saying Ford has a monopoly on selling Ford cars and about as ridiculous. Meanwhile real monopolies like Cable companies get away with crap all the darn time.