Another pirated app service uses Apple enterprise license to distribute stolen software
Word of a fairly well known pirated app service called vShare hit mainstream media outlets on Wednesday as part of a CNNMoney feature, which said the nefarious firm leverages Apple's own enterprise tools to distribute free versions of top paid iOS titles without requiring a jailbreak.
Thought to be run by Chinese owners located in Shanghai, the vShare App Market has officially been in operation since 2011 and is recognized in some jailbreaking circles as a go-to source for free apps. The service recently gained notoriety for compatibility with non-jailbroken iPhones and iPads running iOS 8 and above.
Like other recent pirated app services, vShare is built on Apple's enterprise licensing technology. Designed for corporations or other entities with large iOS device deployments, Apple Developer Enterprise certificates allow license holders to provision their own apps for internal distribution and download.
In the case of vShare, the service used purchased certificates to create a trusted app, available for download via the Web, that acts as a its own illegitimate app store. Security researchers at Proofpoint told CNNMoney that vShare obtained four Apple Developer Enterprise certificates to accomplish the task. Proofpoint has informed Apple of its findings.
As of this writing, attempts to install the vShare app on devices running iOS 8 or iOS 9 proved unsuccessful, suggesting Apple has revoked one or all of vShare's provisioned certificates.
vShare's impact on legitimate app sales is unknown, but today's report notes popular titles like Minecraft: Pocket Edition and Geometry Dash have been "liked" by more than 1.4 million downloaders.
Interestingly, vShare's terms of use includes a disclaimer regarding intellectual property rights, which notes the service will remove any app found to be in infringement of owned properties if provided with appropriate documentation. The terms also state, however, that vShare "assumes no responsibility for monitoring the Service."
Thought to be run by Chinese owners located in Shanghai, the vShare App Market has officially been in operation since 2011 and is recognized in some jailbreaking circles as a go-to source for free apps. The service recently gained notoriety for compatibility with non-jailbroken iPhones and iPads running iOS 8 and above.
Like other recent pirated app services, vShare is built on Apple's enterprise licensing technology. Designed for corporations or other entities with large iOS device deployments, Apple Developer Enterprise certificates allow license holders to provision their own apps for internal distribution and download.
In the case of vShare, the service used purchased certificates to create a trusted app, available for download via the Web, that acts as a its own illegitimate app store. Security researchers at Proofpoint told CNNMoney that vShare obtained four Apple Developer Enterprise certificates to accomplish the task. Proofpoint has informed Apple of its findings.
As of this writing, attempts to install the vShare app on devices running iOS 8 or iOS 9 proved unsuccessful, suggesting Apple has revoked one or all of vShare's provisioned certificates.
vShare's impact on legitimate app sales is unknown, but today's report notes popular titles like Minecraft: Pocket Edition and Geometry Dash have been "liked" by more than 1.4 million downloaders.
Interestingly, vShare's terms of use includes a disclaimer regarding intellectual property rights, which notes the service will remove any app found to be in infringement of owned properties if provided with appropriate documentation. The terms also state, however, that vShare "assumes no responsibility for monitoring the Service."
Comments
How would a site get word out to potential customers to download Apps without word getting back to Apple about a certificate being abused?
True about third party stores.
But I don't believe anyone is actually using enterprise certificates to distribute malware. I think they are all just proof of concepts drummed up to make it appear Apple has a malware problem.
You have to register as an enterprise developer with Apple and this costs $299 per year. And you don't just sign up with a credit card and get approved. You have to verify you're an actual company (legal entity).
As soon as Apple discovers a certificate is being abused they revoke it (as evidenced by this article where it didn't work when they tried it). I'm not sure what Apple does internally, but you can bet they don't just revoke it and let it go. The company and/or people and/or IP addresses involved are probably blacklisted so they can't come back and get another certificate later on.
In short, this is nothing more than scare mongering/Apple bashing. There's little to no chance you'll ever come across a working enterprise certificate in the wild.
Here's one site still active FWIW
https://isigncloud.com/
Yes, malware and side loading are mainstream on Android. That's why they are seldom newsworthy unless the exploit is egregious, like the MMS one earlier. Or the exploit is persistent, able to survive even an OS reformat and reinstall.
For enterprise app loading, it is an official mechanism for companies to manage their apps. So you'll need to register your device with the company first.
A company can't just push their apps on you. You have to voluntarily yield your device control to that company by registering your device with them first.
Because of this, and the ease of revoking enterprise certs, such channel is not so effective. The user has to reregister their devices every time the cert got revoked. Most apps are free anyway, so there's little incentive to risk this.
There is another interesting mechanism to side load an iOS app. That's using Xcode, and only works on your personal registered device. Presumably you can load a game emulator this way if it's open source. But its main purpose is for prototyping and learning. IMHO, they should tie this mechanism with the recent Swift open source effort. Extend it to handle open source Swift apps, the added control and benefits will be even greater.
It's different. iSignCloud requires its users to voluntarily register their devices with the service; like an employee acknowledging his or her employer. After all, iSignCloud uses an enterprise cert to support their store. Apple or the company that owns the stolen cert can revoke the cert easily.
Your typical Android malware infiltrate devices covertly by exploiting the system actively. The users have zero say in whether they want to their devices to be in this scheme or not. They get affected anyway.
I don't think you are telling the full story. We know for example in China, activists are actively being targeted by the government. The China government certainly don't just sell ads to the activists.
Once the devices are rooted, no one can guarantee what the attackers will do. They can in fact take over the entire Android device. They will just milk the victims over and over. We already know for sure it's not just selling ads like Google. There are also ransomware, stealing passwords, corporate espionage, etc.
Undisclosed info collection is a problem after the user allows the app to access personal info. Not before. The violators will need to answer to Apple, a single entity in charge of the ecosystem. There is no 'somebody else's problem'.
That one is behind a paywall, and I'm not going to waste money (or risk handing out my credentials) just to find out it doesn't work.
I've tried numerous times to visit a malware or App site that uses Apple enterprise certificates and by the time I get there they don't work. The reason I want to try one out is because I want to grab screenshots of all the warning messages iOS 9 gives you to show people how many hoops you have to jump through before you can allow an App to install.
So perhaps you have some links to actual working sites that don't require me to pay money up front? Or perhaps you have proof that the site you listed ACTUALLY works?
The enterprise certs have probably been revoked by the time you tried. It is not difficult for Apple or the owning enterprise to do that.
As for the alleged download count for these resigned apps, they can be faked by the rogue company to hype the store too. It is also trivial for someone outside to drive that count up.
Realistically, if you want to download unauthorized software, why would you want to leave a trail behind ? You need to register your device on the site. When the site is shutdown by the authority, they will have your device ID. And from the telcos, they can track you down.
Pirates will just try to jailbreak their phone and keep their anonymity. Get their software from a more anonymized distribution.
Go google, you're so "good" at it... And god damn get the whole picture this time.
I'm praying for an ignore list so I can stop seeing your tripe once again
The easiest ignore is just don't read my posts and certainly don't invite me to reply as you just did unless you are waiting to read more.
I would have thought that some of the more recent Apple malware scare stories and the comments from members here would have made it clear that a proof-of-concept exploit does not automatically make one anything a common user would ever encounter or need to worry about. Android is little different. A temporary security hole doesn't equal an infection.
With that out of the way I also consider Apple's ecosystem more secure. Doesn't mean Android is insecure, just more insecure than iOS. They're both safe as long as users stay with the official stores.
You are mistaken. Apple malware stories apply to Apple malware. Android malware stories apply to Android malware. They may or may not apply to each other because the platform security mechanisms and philosophies are different.
No wonder you ignore malware threats on Android. You lumped everything together without thinking.
So yes, one of the easiest ignore is to just pretend malware are scare stories, not a real problem.
btw "Benign malware" is an oxymoron. They may appear benign to you. But it is an exploit, and it can evolve.
Logical fallacy. Like most viruses and malware, most people don't even know they have an infected device. We don't need to see "reports" or major news stories.
Take Win XP as an example. There were countless exploits over the years that infected millions. Yet they never made the news.
Bottom line: iOS is and always will be more secure than Android. This is an absolute that can't be argued against.