Apple’s app-vetting procedures are in the spotlight this week, as not one but two news stories demonstrate the grave consequences of what appears to be a troublingly lackadaisical approach at the Cupertino-based company.

Case study 1: “Ledger Live”

On Tuesday, the crypto news site CoinDesk reported on a week-long phishing campaign predicated on the use of a cloned Mac app. Financial hackers created a cloned app called Ledger Live, using the former name of a legitimate wallet app for iOS and macOS, and managed to get it accepted by the Mac App Store. Users of this app were prompted to enter recovery phrases, and those who did so had their wallets completely emptied. CoinDesk says the scam affected more than 50 victims and resulted in the loss of at least $9.5m worth of Bitcoin, Ether, and other cryptocurrencies.

One victim, a musician going by the name G. Love, vented his frustrations on X. “I had a really tough day today,” he wrote. “I lost my retirement fund… All my BTC [Bitcoin] gone in an instant.” He later clarified that his losses totalled 5.9 BTC, which at current valuations is worth almost $75,000.

To most of us such a loss would be devastating. But the scam’s unluckiest victims were hit a great deal harder. ZachXBT reports that the three biggest individual losses were worth $2m, $2.1m, and $3.2m respectively.

The app has now been removed from the App Store, but victims and commentators are questioning how the software made it past Apple’s vetting process in the first place. It’s also unclear how the fake app remained on the store for a fortnight, reportedly taking people’s money for the entire second week of that period, before the company took action. ZachXBT has even floated the idea of a class-action lawsuit, although at this point that remains speculation.

Case study 2: Freecash

With unhappy timing, news of this scam broke in the same week as the banning of Freecash, as reported by Macworld’s sister site TechCrunch. In adverts, Freecash offered to pay users to scroll on TikTok, but this was a flimsy veil for its real purpose: harvesting sensitive data. By installing and running the app, users were giving up data about anything from their religion to their sexual orientation, which the makers happily sold on to third parties.

Many free apps are built on a data-harvesting business model, and such practices are not in themselves illegal or against the App Store’s terms and conditions. But critics complained that Freecash was harvesting data in a way which was manipulative and misleading. In January, Wired reported that the app used deceptive marketing techniques (the app’s makers deny this allegation, stating that “Our apps are fully compliant with the Apple App Store and Google Play Store policies, as demonstrated by the fact that they are live and regularly pass platform reviews”), and TikTok banned some of its ads. But it wasn’t until this week–shortly after being contacted by TechCrunch, perhaps coincidentally–that Apple finally pulled the app.

That decision would appear to indicate that Freecash does not, contrary to its makers’ protestations, meet the standards of Apple’s App Store. (The Android app is still showing up for me in Google search, but the URL it directs to no longer works. Presumably, then, it’s been kicked off Google Play too.) But once again, it’s unclear why Apple’s vetting team wasn’t able to spot this shortcoming before welcoming the app on to the company’s official storefront. Or why it took so long to take action against an app whose murkier practices had been highlighted by journalists months previously.

Rotten to the Store: The wider story

I should emphasize at this point that the main reason I’ve discussed these two cases in the same article is that the stories happened to break in the same week. They each, in their own way, reflect poorly on Apple’s vetting procedures, but that doesn’t mean they’re in the same ballpark of misbehavior. The first case study above is straightforward larceny, while the second is more complicated: an ethically dubious developer choosing to skirt the boundaries of what is and isn’t permitted for personal gain. The principle is the same, but the offenders are not.

There are two facts which unite these two apps. First, Apple allowed them on to the App Store when it absolutely should not have done. Second, when problems emerged, it let them stay there longer than it had any business doing. And these raise major concerns about the way the App Store is run, and the rationale behind Apple’s stewardship of the market for apps on its products.

After all, the whole point of the App Store is to give owners of Apple devices peace of mind that the software they’re installing is legitimate and won’t cause any problems. Craig Federighi has claimed that sideloading, the installation of apps through non-official means, is a cybercriminal’s best friend. But what are customers supposed to think when even officially sanctioned software is liable to steal their secrets and their money? In what way is the official store better than buying it (likely at a lower price) direct from the developer? What does vetting actually involve, other than a malware scan and the eager exchange of bank details? What is the App Store bringing to the table at this point, other than an outstretched hand?

This week has been unusually bad, but stories of this sort don’t come as a surprise any more. The App Store of 2026 is absolutely stuffed with slop, scams, and clones, propped up by an ecosystem of fake reviews pushing undeserving apps to the top of the charts. Phil Schiller was complaining about “insane” scam apps 14 years ago, and to the casual eye it’s difficult to see that things have got any better.

Reports in the past few years have identified everything from fleeceware VPNs to exploitative knockoffs of popular games. Search is broken, foregrounding apps blatantly designed to trick you into clicking on the wrong thing; selling ads here doesn’t help matters. So-called trash apps are essentially a licence to print money.

The App Store, in other words, is rotten. And whatever Apple’s app-vetting procedure is, it’s not working. Perhaps that reflects the magnitude of the job. At last count there were approximately two million iOS apps on the store, which across its 18-year history equates very roughly to 9,000 per month. Factor in the acceleration over time, not to mention all the other apps that were vetted once but have since been removed because the developers stopping updating them, and that’s a lot of vetting, even for a company with major resources.

But is that an excuse? Not really. If running an app store is too much trouble, close it down. If comprehensive vetting is impractical, stop pretending the App Store is completely safe. (And definitely stop scaremongering about sideloading.) If you can’t make the App Store a truly reliable resource for good, safe, legitimate software, then give iPhone users the freedom to install from other places. Or just stop pretending the App Store monopoly is about anything other than revenue.