Apple Hurts Businesses Again: Lumi Wallet Users May Lose Their Money Due To iOS Keychain

By the end of October, all Lumi Wallet users using iOS devices will be logged out of their wallets because of the legal restructuring of the Lumi company. It might lead to thousands of users losing access to their funds forever.

Sound ridiculous? Let me explain in detail.

In February 2020, our company incorporated a new legal entity in Cyprus due to a strategic decision to be fully incorporated in Europe. Previously we had a legal entity in Hong Kong that was enrolled in the Apple Developer Program.

(Disclaimer: The author is the CEO at Lumi Wallet)

As we have already started the restructuring of the company and the liquidation process of the HK entity, we needed to change the legal entity in the AppStore too. 

After reaching out to Apple Developer Support, Lumi was advised to create a new Apple Developer account using the Cyprus company and to transfer the Lumi app to the newly created account. 

We decided that everything was fine and did strictly as advised. It took us about several weeks and $99, everything was done, and we had transferred our apps.

While preparing a new app version release we received an email from App Store Connect saying: 

“We identified one or more issues with a recent delivery for your app, "Lumi Crypto Wallet" ...Your delivery was successful, but you may wish to correct the following issues in your next delivery: ITMS-90076: Potential Loss of Keychain Access - The previous version of software has an application-identifier value ['TeamID-XXX.com.lumiwallet.HD'] and the new version of software being submitted has an application-identifier of ['Team ID-YYY.com.lumiwallet.HD']. This will result in a loss of keychain access.”

What does it mean?

That definitely surprised us (in a negative way), as in different words it says that ALL our users will be logged out from the application if we release a new version from the new account because our Team ID has changed and the Lumi app will no longer have access to the Keychain as the keychain pass includes the Team ID in its string. 

Lumi is a client-side crypto wallet with no access to users' private keys. They are generated on users' devices and kept in iOS encrypted storage - the Keychain. Every time a user opens the Lumi application, it uses private keys held in the iOS keychain to run the wallet.

Put simply, by making the transfer the Lumi app will no longer be able to retrieve users’ private keys from encrypted storage because the new keychain pass doesn’t match. It has basically led to a huge disaster for both users and the Lumi company. 

A lot of users may lose significant or even huge amounts of money and they will definitely blame Lumi for it. 

So, we were not ready to accept it and transferred the apps back to the old account to release new updates, meanwhile we started to beat off Apple Support thresholds looking for help. 

We had two scenarios in mind that could help:

1. Change the legal entity on the old account or
2. Change the Team ID on the new account.

The first obviously seems more realistic as far as it can be done almost manually, while the Team ID is a part of the dev system and its change might lead to unpredictable consequences (frankly - no idea, maybe it is easier). 

The first support manager gave me the already-known answer, so they just cited their documentation: “A one-time loss in keychain data will occur if you switch your App ID prefix”, he was even highlighting that it will only one-time, pretending that “once” is not that bad...

I repeated clearly that we needed to find a solution, so the call was transferred to Senior Support manager Samantha.

Let me summarize the discussion: 

• Hello, my name is Samantha, I am fully aware of your problem, but we cannot change your organizational name. 
• Sorry, we do not want to change the organizational name, we want to change the whole legal entity inside the account.
• You cannot change it, because you already have a new account with a Cyprus entity registered.
• We were advised to do so and we did not know that it would lead to keychain access loss. Let’s delete the new account and change the entity in the old one. 
• No, you cannot delete accounts in the apple developer program. The only option is to transfer the app to the new account. 
• Do you understand how harmful that is for our business?
• Let me take your question internally and I will call you back as soon as possible.

.... 

Waited for two more weeks with no update.

....

Now we are preparing to inform our users that they will be logged out and are trying to aggressively insist on writing down their private keys to restore access later. 

BTW this is a disaster for Lumi‘s reputation! 

Crypto adoption is one of the most difficult things for a product creator, it is so hard to create a trustful product, to explain how extremely important it is to backup crypto private keys (keep an additional copy of it) in order not to lose access to funds, and here we are, facing the AppStore leaving users without access to their private keys with no attempt to help! 

There might be some commentators who would suggest something like:

• Never release new updates or,
• Don’t change the legal entity or,
• Being logged out once is not that bad as it is only once,

But let’s please keep these great ideas out of this discussion.

To sum up, I, Diana, CEO of Lumi Wallet, am writing this article to draw the attention of Apple Support to solve this quite trivial issue. I totally understand that most support managers don’t have much authority and follow strict guidelines, but when they face a case that they are not capable of solving, they must send it up to higher management and not to harm businesses that work hard to come up with the best solutions on the market, that are distributed through their store. 

If we proceed with no answer from Apple, we will definitely deal with hundreds or even thousands of users that will lose their crypto. Unfortunately, we have no responsibility over that, as we have zero control over users’ private keys, but Apple will definitely hold part of the blame. 

That is not the first case showing that Apple does not care about crypto business interests. Why are Lumi, Trust, and Coinbase confined to adding dApp browsers inside their applications, but Metamask is fully allowed to provide access to even dices and casinos? 

What now? 

• We are planning to transfer the app if there is no answer from Apple by October 30. 
• We will “aggressively” notify users to backup their wallets. 
• We hope that users will be safe.
• We still believe that Apple is a tech company that is capable of solving such a problem instead of throwing us from one Support manager to another without an answer.

(Disclaimer: The author is the CEO at Lumi Wallet)