Enterprise certificates still being abused to spy on iPhone users

Posted:
in iOS edited April 2019
Apple's Enterprise Certificate program continues to be abused for unauthorized purposes with the discovery of a disguised spyware app that has the capability to acquire a considerable amount of data from a user's iPhone, one that may have been created by a government surveillance app developer.

Screenshots of the disguised spyware (via TechCrunch)
Screenshots of the disguised spyware (via TechCrunch)


Apple's program enables enterprise customers to create and distribute apps within an organization without being subjected to the App Store's content guidelines. The system allows for apps with far greater access to data within iOS than normal consumer versions, but the rules for the program means it cannot be used outside of an organization.

Despite it being against the rules, this hasn't stopped unscrupulous organizations from taking advantage of the Enterprise Certificate system to distribute apps that don't have to abide by the consumer-protecting App Store guidelines.

Mobile security outfit Lookout advised to TechCrunch a spy app was discovered pretending to be a carrier assistance app for mobile networks in Italy and Turkmenistan. Once installed, the app us capable of quietly acquiring contacts stored on an iPhone, as well as audio recordings, photos and video, real-time location data, and can even be used to listen in to conversations.

It is believed to have been developed by Connexxa, the creators of a similar Android app named Exodus that has been used by Italian authorities for surveillance purposes. The Android version had more reach than the latest iOS discovery, via the use of an exploit to gain root access.

Both the iOS and Android apps used the same backend, indicating the two are linked. The use of certificate pinning and other techniques to disguise its network traffic is thought to be a sign that the app was created by a professional group.

Once Apple was informed of the app's unauthorized activity by the researchers, Apple revoked the app's certificate, preventing it from functioning. It is unknown how many iOS users were affected by the attack.

The misuse of Apple's Enterprise Certificates program has become an issue for the company since the start of 2019. Early stories focused on how Google and Facebook were providing end users with Enterprise Certificate-equipped apps that monitored their usage habits, a situation that led to Apple revoking the certificates and, in Facebook's case, causing internal issues.

In February, it was discovered developers were also abusing the program to offer apps that would normally be banned from the App Store, including porn and gambling apps. Many were found to have acquired the certificates using another firm's details, allowing them to work around limitations to the number of users allowed under a certificate.

It was also found some developers were distributing hacked versions of popular apps, with users capable of streaming music without paying subscription fees, blocking advertisements, and bypassing in-app purchases. It also meant the developers of the legitimate versions of the apps were missing out on revenue, along with Apple failing to receive its usual 15 or 30 percent cut of all App Store Purchases.

Comments

  • Reply 1 of 12
    Dead_PoolDead_Pool Posts: 129member
    Oopsie
  • Reply 2 of 12
    chasmchasm Posts: 3,613member
    Unlike this report, other larger outlets resorted to far more hysterical headlines to make this seem a lot more serious for iOS users than it was. The bottom line on this is that -- while developer abuse of certificates is definitely a problem that Apple's going to have to find a better way to address -- due to some of the in-built protections in iOS, this was far less of an issue on iOS than it was on Android, where the app was able to capture pretty much anything it wanted.

    In the iOS version, users had to give permission for each of the areas where it wanted to gather data, for example, which might raise suspicions ("why does my carrier need permission to access my voice memos or contacts?"). The Android version installed a rootkit, meaning it had full access to everything.

    In addition, the iOS version of the app was not distributed in the App Store, even in Italy and Turkemenistan (where the app pretended to be the official app of one of the local carriers), The iOS version was given out only to people willing to "side-load" a dev-only app; the Android version was distributed in the Play Store and other outlets for anyone to download.

    Finally, Apple's revoking of the certificate means the app can no longer run at all, even if users granted permissions. The Android version was kicked off the Play Store, but the installed versions are still happily ticking along, having used the rootkit to gain full access.
    edited April 2019 fotoformattjwolfdysamoriajbdragonapres587cornchipwatto_cobrajony0
  • Reply 3 of 12
    Not sure what Apple can do. If companies have the right credentials to obtain an enterprise certificate, then what can Apple do to stop them? Other than revoking them when discovered (as they do now).

    If Apple makes it much more expensive (or difficult) to get an enterprise certificate then they’ll be criticized for making it “too hard”.
    watto_cobra
  • Reply 4 of 12
    mac_dogmac_dog Posts: 1,083member
    Not sure what Apple can do. If companies have the right credentials to obtain an enterprise certificate, then what can Apple do to stop them? Other than revoking them when discovered (as they do now).

    If Apple makes it much more expensive (or difficult) to get an enterprise certificate then they’ll be criticized for making it “too hard”.
    Too fucking bad. I say revoke their certification altogether. Non of this “slap of the wrist” bullshit. This is where Steve Jobs would have lost it. 
    edited April 2019 The_Martini_Catjbdragoncornchipwatto_cobra
  • Reply 5 of 12
    22july201322july2013 Posts: 3,735member
    chasm said:
    Unlike this report, other larger outlets resorted to far more hysterical headlines to make this seem a lot more serious for iOS users than it was. The bottom line on this is that -- while developer abuse of certificates is definitely a problem that Apple's going to have to find a better way to address -- due to some of the in-built protections in iOS, this was far less of an issue on iOS than it was on Android, where the app was able to capture pretty much anything it wanted.

    In the iOS version, users had to give permission for each of the areas where it wanted to gather data, for example, which might raise suspicions ("why does my carrier need permission to access my voice memos or contacts?"). The Android version installed a rootkit, meaning it had full access to everything.

    In addition, the iOS version of the app was not distributed in the App Store, even in Italy and Turkemenistan (where the app pretended to be the official app of one of the local carriers), The iOS version was given out only to people willing to "side-load" a dev-only app; the Android version was distributed in the Play Store and other outlets for anyone to download.

    Finally, Apple's revoking of the certificate means the app can no longer run at all, even if users granted permissions. The Android version was kicked off the Play Store, but the installed versions are still happily ticking along, having used the rootkit to gain full access.
    Wow, that was an informative post. Better than most articles on AppleInsider. DED better watch his back.
    jbdragoncornchipwatto_cobra
  • Reply 6 of 12
    mac_dog said:
    Not sure what Apple can do. If companies have the right credentials to obtain an enterprise certificate, then what can Apple do to stop them? Other than revoking them when discovered (as they do now).

    If Apple makes it much more expensive (or difficult) to get an enterprise certificate then they’ll be criticized for making it “too hard”.
    Too fucking bad. I say revoke their certification altogether. Non of this “slap of the wrist” bullshit. This is where Steve Jobs would have lost it. 

    Uh, Apple does revoke their certificate. Then those people create a new fake company and apply for another one. Rinse and repeat. Not much Apple can do besides their current practice of revoking a certificate once they discover it. Not without making things tougher on the legitimate developers.


    supadav03dysamoriacornchipwatto_cobra
  • Reply 7 of 12
    sflocalsflocal Posts: 6,136member
    mac_dog said:
    Not sure what Apple can do. If companies have the right credentials to obtain an enterprise certificate, then what can Apple do to stop them? Other than revoking them when discovered (as they do now).

    If Apple makes it much more expensive (or difficult) to get an enterprise certificate then they’ll be criticized for making it “too hard”.
    Too fucking bad. I say revoke their certification altogether. Non of this “slap of the wrist” bullshit. This is where Steve Jobs would have lost it. 

    Uh, Apple does revoke their certificate. Then those people create a new fake company and apply for another one. Rinse and repeat. Not much Apple can do besides their current practice of revoking a certificate once they discover it. Not without making things tougher on the legitimate developers.


    Yeah... there needs to be more stringent requirements in keeping whatever certificates the develop has.  Perhaps someone like a requirement to renew every quarter, and going through some checks-and-balances to verify the app is not during something nefarious. 

    This just goes to show the popularity of iOS that devs are willing to go through all that work to qualify for certificates to abuse.  
    cornchipwatto_cobra
  • Reply 8 of 12
    supadav03supadav03 Posts: 504member
    Aaahh. So this is why all the emulators stopped working a few days ago and continue to go down as quickly as they are put back up. Welp...guess no more PlayStation or GBA games on my iPhone.
  • Reply 9 of 12
    sflocal said:
    mac_dog said:
    Not sure what Apple can do. If companies have the right credentials to obtain an enterprise certificate, then what can Apple do to stop them? Other than revoking them when discovered (as they do now).

    If Apple makes it much more expensive (or difficult) to get an enterprise certificate then they’ll be criticized for making it “too hard”.
    Too fucking bad. I say revoke their certification altogether. Non of this “slap of the wrist” bullshit. This is where Steve Jobs would have lost it. 

    Uh, Apple does revoke their certificate. Then those people create a new fake company and apply for another one. Rinse and repeat. Not much Apple can do besides their current practice of revoking a certificate once they discover it. Not without making things tougher on the legitimate developers.


    Yeah... there needs to be more stringent requirements in keeping whatever certificates the develop has.  Perhaps someone like a requirement to renew every quarter, and going through some checks-and-balances to verify the app is not during something nefarious. 

    This just goes to show the popularity of iOS that devs are willing to go through all that work to qualify for certificates to abuse.  

    You have to be a legal entity (basically a corporation) for starters. You also need a DUNS (Dun & Bradstreet) number, a website attached to your company (this would be the easiest to fake) and the person applying needs to have legal authority to act on behalf of the company.

    When you think about it, this is all you need to open a bank account. And once that bank account is open you could launder money through it or so many illegal things. Yet the bank still accepted your credentials to grant you that account in the first place.

    It’s not like Apple just hands these out to anyone who asks.


    Verifying the App is the tricky one. Who’s going to verify it? Apple? So now Apple has to start checking on Apps that aren’t even being delivered through The App Store? Who will pay for this service? Most likely the developer, as an added fee on top of the yearly $299 enterprise developer fee.

    About the only thing I could think of is requiring smaller companies to have someone “sign off” on an agreement that if they abuse their certificate they can be liable for a hefty fine/penalty. Though I imagine people are using fake IDs to set up these shell companies so you’d never be able to enforce/collect any fine. Perhaps a bond of $10K (or more) to be paid up front that you forfeit if you abuse your certificate. Then we’ll see smaller companies complaining about the high cost of entry to start developing enterprise Apps.

    I just don’t see an easy way to stop criminals from abusing certificates without unduly affecting honest users.
    cornchipwatto_cobra
  • Reply 10 of 12
    Johan42Johan42 Posts: 163member
    supadav03 said:
    Aaahh. So this is why all the emulators stopped working a few days ago and continue to go down as quickly as they are put back up. Welp...guess no more PlayStation or GBA games on my iPhone.
    Yeah, man. It’s like buying a computer and being told what you can or can’t install in it. Quite hilarious to see people get mad when they see others go through such lengths to do as they please with their devices.
  • Reply 11 of 12
    gatorguygatorguy Posts: 24,651member
    chasm said:


    Finally, Apple's revoking of the certificate means the app can no longer run at all, even if users granted permissions. The Android version was kicked off the Play Store, but the installed versions are still happily ticking along, having used the rootkit to gain full access.
    Yup, this was one of those sneaky apps that morphed after the user had installed it, tho recent versions of Android would have required the user to approve each of the permissions, quite similar to iOS. Estimates of "infections" from the threat assessment blogs range from a couple hundred to perhaps as many as a thousand people, all of them in Italy. FWIW Google's Play Protect is preventing any further spying from the Exodus exploit as it's being called. 
    muthuk_vanalingam
  • Reply 12 of 12
    dysamoriadysamoria Posts: 3,430member
    sflocal said:
    mac_dog said:
    Not sure what Apple can do. If companies have the right credentials to obtain an enterprise certificate, then what can Apple do to stop them? Other than revoking them when discovered (as they do now).

    If Apple makes it much more expensive (or difficult) to get an enterprise certificate then they’ll be criticized for making it “too hard”.
    Too fucking bad. I say revoke their certification altogether. Non of this “slap of the wrist” bullshit. This is where Steve Jobs would have lost it. 

    Uh, Apple does revoke their certificate. Then those people create a new fake company and apply for another one. Rinse and repeat. Not much Apple can do besides their current practice of revoking a certificate once they discover it. Not without making things tougher on the legitimate developers.


    Yeah... there needs to be more stringent requirements in keeping whatever certificates the develop has.  Perhaps someone like a requirement to renew every quarter, and going through some checks-and-balances to verify the app is not during something nefarious. 

    This just goes to show the popularity of iOS that devs are willing to go through all that work to qualify for certificates to abuse.  

    You have to be a legal entity (basically a corporation) for starters. You also need a DUNS (Dun & Bradstreet) number, a website attached to your company (this would be the easiest to fake) and the person applying needs to have legal authority to act on behalf of the company.

    When you think about it, this is all you need to open a bank account. And once that bank account is open you could launder money through it or so many illegal things. Yet the bank still accepted your credentials to grant you that account in the first place.

    It’s not like Apple just hands these out to anyone who asks.


    Verifying the App is the tricky one. Who’s going to verify it? Apple? So now Apple has to start checking on Apps that aren’t even being delivered through The App Store? Who will pay for this service? Most likely the developer, as an added fee on top of the yearly $299 enterprise developer fee.

    About the only thing I could think of is requiring smaller companies to have someone “sign off” on an agreement that if they abuse their certificate they can be liable for a hefty fine/penalty. Though I imagine people are using fake IDs to set up these shell companies so you’d never be able to enforce/collect any fine. Perhaps a bond of $10K (or more) to be paid up front that you forfeit if you abuse your certificate. Then we’ll see smaller companies complaining about the high cost of entry to start developing enterprise Apps.

    I just don’t see an easy way to stop criminals from abusing certificates without unduly affecting honest users.
    How about enforcing a real, verifiable identity be used for a legally-liable person at a company signing up?
    watto_cobra
Sign In or Register to comment.