Apple’s App Store isn’t always as trustworthy as the company claims. The latest example comes from RockAuto, an auto parts dealer popular with home mechanics and other DIYers, which is upset that a fake app masquerading as its official app has not been removed from the App Store, despite numerous complaints to Apple.
RockAuto co-founder and president Jim Taylor was first alerted to the situation when customers began complaining about “annoying ads” in its app — something he said “surprised us since we don’t have an app.”
“We discovered someone placed an app in the Apple App Store using our logo and company information — but with the misspellings and clumsy graphics typical of phishing schemes,” he told TechCrunch.
On closer inspection, the fake app doesn’t look very legit, but it’s easy to see how someone could be fooled. Its App Store images show a photo of a truck with the word “Heading” across the image as if a template was hastily used and the work was unfinished. In addition, despite being titled “RockAuto” on the App Store, the app refers to itself as “RackAuto” throughout its App Store description.
What’s more, it promises customers that “Your privacy is a top priority” and that “all your data is securely stored and encrypted, giving you peace of mind.” That’s not likely, given the nature of this app.
The issue is not only concerning because of the app’s ability to fool at least some portion of RockAuto’s customers but also because it undermines Apple’s messaging about how the App Store is a trusted and secure marketplace — which is why it demands a cut of developers’ in-app purchase transactions. The tech giant has been fighting back against regulations like the EU’s Digital Markets Act (DMA), by claiming these laws would compromise customer safety and privacy. Apple believes that customers will be at risk if they conduct business outside its App Store with unknown parties. But, as these cases show, bad actors can too easily infiltrate its own app marketplace as well.
Apple has so far ignored RockAuto’s requests to remove the fake app, which were all sent through proper channels, according to documentation the company shared with TechCrunch.
While searching for a solution to this problem, RockAuto came across our coverage of a similar situation with LastPass. The password manager was also the victim of a similar scheme when a fake app pretending to be LastPass was live on the App Store for weeks. LastPass eventually had to warn its customers publicly in a blog post, as Apple had not yet taken the fake app down until after the press coverage and LastPass’s own post went live.
Apple didn’t respond to requests for comment at the time. The company wasn’t immediately available for requests for comment about RockAuto’s complaint either.
Taylor says that RockAuto’s Customer Service manager initially reached out to Apple to resolve the situation. When he didn’t get a response, Taylor got involved.
“It’s mostly one-way since the only replies we’ve had from Apple are ‘you shouldn’t have emailed, go use the online form’ and ‘upload screen prints of the app store listing and your trademark registration,’” Taylor explains, both of which RockAuto had already done, its documentation indicates.
“Neither the uploaded documents nor the online form submissions produced any response at all,” Taylor noted, “not even the promised ‘case number in 24 hours’ despite multiple submissions,” he said.
Since filing the complaint on April 18, 2024, RockAuto has shared its trademark registration with Apple, emailed the company, called the number provided on Apple’s copyright infringement page, sent a DMCA Takedown request and filled out Apple’s required forms.
It has not received anything other than automated responses and the fake app remains live as of the time of publication.
techcrunch.com