Apple diehards have long defended the company’s “walled garden” approach to its ecosystem. While there are plenty of malicious Android apps, Apple’s strict app review standards generally kept iPhones safe. But where there’s a will, there’s a way. According to a Reuters report, sneaky app makers are using Apple’s enterprise certificates to peddle hacked versions of popular apps like Angry Birds, Pokemon Go, Spotify, and Minecraft, among others.
Apple introduced its Developer Enterprise Program to help corporations more easily distribute internal apps to employees. Basically, it lets companies bypass the App Store and directly distribute beta apps to a limited subset of users.
In this case, Reuters reports that some software distributors—TutuApp, Panda Helper, App Valley, and TweakBox are among those named—are using these certificates to distribute modified versions of apps outside the App Store to anyone who wants to download them. The hacked versions allow users to stream ad-free music, as well as bypass fees in certain games. Doing so effectively robs both Apple and the original app makers of any money they’d make through official App Store downloads.
News of the hacked apps comes amid a series of reports detailing high-profile abuse of Apple’s enterprise certificates by companies ranging from Google to spammy porn app developers.
Last month, Facebook and Google both briefly had certificates revoked for abusing the enterprise certificate program to solicit data from consumers in exchange for payment. Facebook had its access stripped once it was discovered it was peddling a sketchy “research” app that paid consumers, including teenagers, to monitor their phones. Likewise, Google suffered the same consequences for a similar app that paid users with gift cards in exchange for handing over personal data. The result was a clusterfuck as Facebook and Google employees lost their collective minds as internal apps went from functional to completely borked. To cap it off, TechCrunch also reported this week that the Enterprise Certificate program was used by gambling and porn sites to sneak past Apple’s ban on illicit apps.
All this points to Apple perhaps losing its grip on its tightly curated, family-friendly App Store. Part of the issue is its lax standards in approving companies for its Enterprise Certificate program. According to this Calvium guide, the approval process involves simply filling out a form, paying Apple $300, providing a D-U-N-S business ID, an up-to-date Mac, and voilá. Once all the paperwork is filed, applicants just have to wait one to four weeks for Apple to get back to them. And the only thing Apple does is ask two questions: “How do you intend to distribute your apps?” and “Do you have the authority to make this agreement on behalf of the business?”
So, while the application process is tedious, there’s virtually nothing stopping malicious actors from lying to Apple to peddle apps of dubious quality. Which means, unless Apple takes some serious steps to fix this loophole, iOS may not remain the safe and family-friendly bastion the company has worked to cultivate.
“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program Completely,” Apple told Reuters in a statement. It also confirmed to Reuters that it would begin requiring two-factor authentication to log into all developer accounts by the end of this month. A good step, but still doesn’t really stop rogue app makers from setting up a different enterprise account.
We’ve reached out to Apple for comment on how it plans to address recent abuses of its Enterprise Certificate System and will update this story if we hear back.