[dimask]

It was a disaster waiting to happen. I had entirely disabled automatic updates for my iphone apps specifically this kind of risk with this specific app. An OTP app is sold to some totally shady guy, what can go wrong. Though tbh I must say I did not expect extortion but rather I was more afraid of malware that would just steal the TOTPs and sell them in the dark web.

[twixfel]

The problem with defending against this "attack vector" orchestrated by Tijme Gommers and MobiMe is that you basically have to check your apps intermittently to make sure they haven't been sold and disable all updates, as you say.

The lesson I've learned is: don't trust anything on the app store controlled by a single guy. In the end the incentive structure is there for him to sell all my data and fuck me over, and indeed that is exactly what he did. Now I just use Apple's own TOTP manager. It's not open source, but they are not incentivised to fuck me over in the way Tijme Gommers did, at least.