Apple Enterprise Certificates leveraged to distribute hacked versions of popular apps

Posted:
in iOS edited February 2019
A report Wednesday added to escalating controversy regarding Apple's Enterprise Certificate program, saying the tool is being used to distribute hacked versions of popular apps, effectively sidestepping stringent App Store guidelines.

Enterprise


As detailed by Reuters, app distributors like TutuApp, Panda Helper, AppValley and TweakBox are abusing developer certificates to disseminate modified, and therefore illicit, versions of legitimate apps for profit.

Depending on the app, users are able to stream music without paying subscription fees, block advertisements and bypass in-app purchases, the report said. The practice not only cheats app makers out of revenue, but also hurts Apple's bottom line as the company takes a 15 percent to 30 percent cut of all App Store purchases.

Examples of so-called hacked apps include TutuApp's Minecraft, which sells for $6.99 on the App Store, while AppValley offers a version of Spotify that lets users listen to the service's free tier without commercial interruptions. The number of altered apps in circulation is unknown, and Apple is unable to track dissemination in real time.

Like the recent kerfuffle involving data gathering apps from Facebook and Google, Apple's Enterprise Certificate program is at the crux of the issue.

The Developer Enterprise Program was designed to give companies an easy method of distributing software among employees without first passing through strict App Store oversight. Developer certificates are often used to issue working betas, internal personnel management apps and other software not developed for public consumption.

Distributors like TutuApp and AppValley are violating Apple's terms of use by leveraging developer certificates to offer the modified app versions to iOS users.

Reuters contacted Apple about the issue last week, and the company subsequently killed a number of apps mentioned in the report by pulling the developer certificates that were used for their distribution. Within days, however, the same apps were back up for download under newly obtained certificates. Exactly how the illicit distributors are able to gain access to developer certificates is unknown, though some were found to have impersonated an unnamed subsidiary of China Mobile.

The Enterprise Developer Program has been a topic of hot discussion over the past month as consecutive investigations from TechCrunch revealed both Facebook and Google were using the certificates to run data gathering operations. In both cases, enterprise privileges were employed to sideload user-monitoring VPN apps on the iPhones of volunteers. In exchange for their participation, users were compensated with money and gift cards.

Apple revoked Facebook's certificate a day the report went live, later pulling Google's certificate as well. Privileges were restored in both cases.

More recently, a report on Tuesday detailed a number of pornography and gambling apps that used enterprise certificates as a workaround to App Store scrutiny. At the time, Apple said it is monitoring the situation and will take action when necessary. An identical statement was issued to Reuters on Wednesday.

"Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action."

Comments

  • Reply 1 of 9
    Note to self: determine if there’s a way to detect if your certificate is the one being used, and make the iOS application mangle data randomly if not!
    beowulfschmidtwatto_cobra
  • Reply 2 of 9
    mac_dogmac_dog Posts: 1,083member
    No more consequences for bad behavior anywhere, it seems. 

    Apple should suspend pend their licenses for 5 years if their certificate rules are violated. 

    As it is, they only get a slap on the wrist and everything is back to normal. 
    n2itivguywatto_cobra
  • Reply 3 of 9
    davgregdavgreg Posts: 1,048member
    No pun intended, who is minding the store, Mr Cook?

    First things first, and security should be at the top of the list. 
  • Reply 4 of 9
    davgreg said:
    No pun intended, who is minding the store, Mr Cook?

    First things first, and security should be at the top of the list. 
    It's relatively easy to abuse, that's why Apple puts some effort (it's not exhaustive) to verify the company. It used to be even easier to abuse - until a couple of years ago, Enterprise-signed apps would simply work when installed, now you need to delve into settings to approve them. Some people will find a way to abuse trust.
    edited February 2019 watto_cobra
  • Reply 5 of 9
    larryjwlarryjw Posts: 1,036member
    Corruption is the modus operandi of American companies. 
    watto_cobra
  • Reply 6 of 9
    larryjw said:
    Corruption is the modus operandi of American companies. 
    uhm... what?
  • Reply 7 of 9
    From a parental control point of view I believe this is how websites like Tweakbox can be used to bypass Screen Time by enabling family members to download apps outside of the Appstore. I spoke to Apple about this and suggested that they place the installation of certificates and profiles (mobileconfig files) under parental control. The response wasn't very positive, I was told to block my children from using Safari, really not very useful. I have sent this suggestion as feedback but not hopeful. 
    watto_cobra
  • Reply 8 of 9
    gatorguygatorguy Posts: 24,651member
    But AppValley is one of the best ios alternative app store for iphone.
    Alternative appstore? Hardly. It's looks more like dodge and weave to avoid apps being blocked and/or unable to be updated. Pretty sketchy stuff IMHO. Stick to official sources. This isn't one. 

    EDIT: Evidence of the sketchiness and likely outright theft of developer property:
    https://twitter.com/AppValley_vip?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor

    Avoid like the plague 'cause it might well exist there buried in some app download. 
    edited June 2019 sherylbrock7
Sign In or Register to comment.