Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple's Enterprise Developer Program Also Being Used to Distribute Hacked Apps

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,346
39,182



Misuse of Apple's enterprise developer program certificates continues to make news, with a new report from Reuters outlining how software pirates have been using the program to distribute hacked versions of popular apps like Minecraft, Pokemon Go, Spotify, Angry Birds, and more.

apple_developer_enterprise.jpg
Using so-called enterprise developer certificates, these pirate operations are providing modified versions of popular apps to consumers, enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue.
Click to expand...
The software pirates in turn make money by charging some users annual subscription fees for "VIP" versions of their hacked apps that are "more stable than the free versions."

After being alerted by Reuters to these developer accounts being used to distribute hacked apps, Apple removed a number of them, but more have since sprung up to take their place.

Revelations regarding abuse of Apple's enterprise developer program surfaced late last month, led by word that Facebook and Google were using the program to distribute market research apps to users that were capable of tracking all of their online activity in exchange for rewards.

Apple briefly revoked enterprise certificates for both companies, which had the side effect of temporarily disabling Facebook's and Google's internal apps including custom testing versions of their own public apps as well as private internal apps for corporate use such as transportation and food.

And just yesterday, additional abuse of Apple's enterprise program came to light in the form of apps featuring adult content and gambling that can not be distributed through the traditional App Store due to Apple's rules prohibiting or limiting those types of content.

Apple today announced that as of February 27, all developer accounts will require two-factor authentication to be turned on, a move that will help secure these accounts and limit their ability to be traded or sold amongst those seeking to skirt Apple's rules.

Article Link: Apple's Enterprise Developer Program Also Being Used to Distribute Hacked Apps
 
Article Link
https://www.macrumors.com/2019/02/13/apple-enterprise-program-hacked-apps/
People have been sideloading apps through this method for years. Apple is well aware of this. The fact that they are doing a massive crackdown now is probably because their revenue is increasingly dependant on the "services" category.

Perhaps Tim can quit exerting so much control over what I want on my phone. Why can't I have torrent clients? Why can't I set custom DNS?
 
  • Like
Reactions: jamesrick80, BulkSlash, 69Mustang and 6 others
Not surprising news about these enterprise certificates. Not the first time that I recall that they have made news for going against some TOS.
[doublepost=1550119903][/doublepost]
Pepe4life said:
People have been sideloading apps through this method for years. Apple is well aware of this. The fact that they are doing a massive crackdown now is probably because their revenue is increasingly dependant on the "services" category.
Click to expand...
So Apple cracking down is because of loss of revenue rather than adhering to a TOS. Interesting spin on that.
 
I7guy said:
Not surprising news about these enterprise certificates. Not the first time that I recall that they have made news for going against some TOS.
[doublepost=1550119903][/doublepost]
So Apple cracking down is because of loss of revenue rather than adhering to a TOS. Interesting spin on that.
Click to expand...
Apple has been revoking these certificates on a continuous basis throughout these years, it wasn't until recently that they issued massive ban waves. Perhaps you should read my full comment before embarrassing yourself. And yes, I am allowed to speculate.
 
  • Like
Reactions: ipponrg, AlumaMac, WatchFromAfar and 4 others
In other words, Apple wants to close loopholes to bypass Apple App Store and services to guarantee their 30% cut even for legit apps like Kodi. This is equivalent to if Google was to reverse their current policy by removing legit apps like Kodi from Google Play Store then disabling side loading of apps.
 
Last edited:
  • Like
Reactions: jamesrick80, M5RahuL, WatchFromAfar and 3 others
Next: The hired consumer - or - how
Apple’s app store policies lead to the development of new business models

Thousands of interns at an app security testing company...

Senior Consumer of Porn as a job title (Senior Consumptionist?). Looks great on any business card. Head of Consumption, Nudition specialist...

Ah, the possibilities.

Customer -> Product -> Workforce, seems like a natural progression

The negative salary might look strange at first, but...

What do you mean? Android?
 
mi7chy said:
In other words, Apple wants to close loopholes to bypass Apple App Store and services to guarantee their 30% cut even for legit apps like Kodi. This is equivalent to if Google was to reverse their current policy by removing legit apps like Kodi from Google Play Store then disabling side loading of apps.
Click to expand...
Apple never allowed this sort of abuse. It was done nonetheless. Go use android , if you want to install your favorite malware.
 
  • Like
Reactions: Cameroncafe10a, ulyssesric, CarlJ and 12 others
mi7chy said:
In other words, Apple wants to close loopholes to bypass Apple App Store and services to guarantee their 30% cut even for legit apps like Kodi. This is equivalent to if Google was to reverse their current policy by removing legit apps like Kodi from Google Play Store then disabling side loading of apps.
Click to expand...
THis isn’t a loophole. It’s people violating the developer agreement they entered into.
 
  • Like
Reactions: ZZ9pluralZalpha, MacsRuleOthersDrool, CarlJ and 5 others
If I recall correctly, there have been numerous instances in the past were developers were caught violating the enterprise certificates TOS - and said developers certificates were summarily revoked. My guess is that these stories are now making headlines specifically because of the recent FB and Google fiasco; and thus suddenly people are digging more into how the enterprise certificates work.

To those who think Apple is cracking down more because they only want people to go the App Store, or because they want more revenue from services, etc. you obviously haven't been paying too much attention to Apple since, well, forever. Apple has NEVER allowed public Apps outside the App Store, such a concept was probably never even a glimmer in Jobs or Cooks eye. You can argue all you want about Apple to taking too big a cut (30% is arguably too much), or the pitfalls of Apple's walled garden, or your frustrations with it, etc. The bottom line is Apple has always revoked enterprise certificates when they've been misused, and Apple will ALWAYS require developers to release their apps on the App Store.

The fact that we're hearing more about this is, like I said above, probably because of the FB and Google fiasco. In addition, other developers may be abusing the enterprise certificates more because jailbreaking is no longer a viable option - so if you want to provide an App that does things against the App Store TOS, the only way to do so without a jailbreak is by abusing the enterprise certificate.

Finally, I have a pretty strong feeling Apple will be making some sweeping changes to the certificate program to prevent these types of abuses moving forward.
[doublepost=1550121551][/doublepost]
macfacts said:
So apple is depending on honest devs to keep iOS users safe. Lol.
Click to expand...

Really? That's your takeaway from this?

Apple doesn't allow public Apps outside of the App Store - the App Store is the first, best, line of defense against malicious apps and malware. Apple provides the developer program and enterprise certificate specifically for companies to create app for internal use only - whether for testing purposes or for intra-organization purposes were distributing via the App Store would be cumbersome. Apple can't stop Devs from violating the TOS before they actually violate them...but they can respond immediately once a violation comes to light.

Quite honestly, Apple can only protect it's user so much - if a user chooses to install an enterprise certificate and get an App that way, that's on the user, not Apple.
 
  • Like
Reactions: MacsRuleOthersDrool, CarlJ, Analog Kid and 5 others
I didn't read the linked article, but how are developer certificates used to share applications with general users who aren't in the developer program?

And does the article really imply that people are not paying the devs via the app store, but paying some random dude for apps? And angry birds and spotify? Do these "pirated" apps bypass IAPs and subscription charges somehow?
 
They always revoke these apps every week but you can block the revokes with a VPN based adblocker like AdGuard. I admit I use Cercube 4 which give us no ads in Youtube(thank god) and the hacked Spotify to give me unlimited skips and Extreme audio(Spotify now banning people who us hacked apps but just create another account). Apple will always revoke these apps without refund and the people distributing them would need to pay for another enterprise license which is a couple hundred dollars every time. Always remember it’s the user that choose to download these interprise certificates and not Apple. Also App revenue is like $40 billion+ last year and will never allow these hacked apps in the App Store.
 
  • Like
Reactions: MacsRuleOthersDrool
himanshumodi said:
I didn't read the linked article, but how are developer certificates used to share applications with general users who aren't in the developer program?
Click to expand...

They aren't developer certificates. They are Enterprise Distribution Certificates.

They are meant for companies to distribute apps for internal use through their own "app store".

Such apps are not vetted by Apple. They aren't distributed in the App Store.

They share them the same way that companies with internal apps share them within their companies. The devices have to be "enrolled" to the specific Enterprise program.

himanshumodi said:
And does the article really imply that people are not paying the devs via the app store, but paying some random dude for apps? And angry birds and spotify? Do these "pirated" apps bypass IAPs and subscription charges somehow?
Click to expand...

Yes. They are not paying the devs. They are paying some random dude for hacked apps.

It's unclear how some random dude gets the app in the first place. There may be a technical means to re-sign the .ipa. But in normal Enterprise distribution, there is re-signing, but it has to be done from a DEVELOPER build. Not a DISTRIBUTION build. (I think - going on a vague memory of a project I worked on a couple years ago, and I did not deal with the Enterprise distribution of the app - just did the development, some IT people at the company dealt with the distribution. They have a number of internal apps, and team that deals with the IT.)

The random dude may be getting the source code from sloppy developers. The random dude may be buying the source code from some hacker that got it from sloppy developers. The random dude might have gotten necessary certificates from an Apple developer account of a sloppy developer. Any or all of the above. Bottom line is, some random dude has STOLEN some developer's work, and is selling it outside of the app store.

The reason they have to do it outside of the App Store is because Apple won't allow a duplicate app to be sold in the App Store. If you steal the code for Angry Birds, and call it My Angry Birds. Or even Evil Bluejays - Apple is going to catch you and not allow it in the App Store.

So, now we can put two and two together and see why Apple is forcing developers to use two-factor authentication to login to the developer portal now.

Hey, AT LEAST Apple was checking for duplicate, pirated apps! Google did a HUGE purge a while back, of duplicate, pirated apps - that were being sold in the Play Store!

Smart devs protect their apps in every way possible. Including encrypting everything you can get your hands on. Think your image files are unimportant? Think again. How much did you spend creating them? Apps are easily dissected if not carefully protected. Even if they don't get your code, if they get image files and database content, for example, they might have enough to make enough of a fake app (that doesn't really work, but LOOKS like yours) to scam people out of their money.
 
  • Like
Reactions: MacsRuleOthersDrool and himanshumodi
macfacts said:
So apple is depending on honest devs to keep iOS users safe. Lol.
Click to expand...

Only install software from the App Store instead of from dodgy torrents, and you’ll be more or less fine.
[doublepost=1550124266][/doublepost]
himanshumodi said:
I didn't read the linked article, but how are developer certificates used to share applications with general users who aren't in the developer program?

And does the article really imply that people are not paying the devs via the app store, but paying some random dude for apps? And angry birds and spotify? Do these "pirated" apps bypass IAPs and subscription charges somehow?
Click to expand...

Developers can sign apps with enterprise certificates obtained in accordance with an enterprise agreement with Apple, and then are authorized to distribute them to employees of the company they work for. It’s intended for things like in-house apps and customized software. But once they are signed, there’s nothing technically stopping them from being distributed to non-employees (other than the fact that they are violating the agreement with Apple).

See: https://developer.apple.com/programs/enterprise/

If someone hacks an App Store app to enable features that would ordinarily blocked by subscription fees, and signs the hacked apps with an enterprise certificate, you get what this article is talking about.
 
  • Like
Reactions: MacsRuleOthersDrool
Pepe4life said:
Perhaps Tim can quit exerting so much control over what I want on my phone. Why can't I have torrent clients? Why can't I set custom DNS?
Click to expand...

Bingo. The only one who gets it. You've paid for the device but Apple take away your freedom to do whatever you wish with it. Imagine buying a Mac but Apple doesn't allow you to run emulators, Kodi, torrent clients, etc. Perhaps that's why they want to replace Macs with iPads to limit what you can do without going through their app store and services. Piracy is just a guise to take away your freedom and force upon a fascist authoritarian rule ecosystem.
 
Last edited:
  • Like
Reactions: jamesrick80, DEMinSoCAL and WatchFromAfar
jtara said:
They share them the same way that companies with internal apps share them within their companies. The devices have to be "enrolled" to the specific Enterprise program.
Click to expand...
You don't need to enrol a phone; theoretically anyone can install an enterprise-signed app on any phone. I've tested this myself: I can install our in-house apps on my personal phone and nothing stops it.

Edit: It seems from the replies that there is some confusion around terminology. All of our corporate-owned phones are "enrolled" somehow (I'm not sure of the specifics around this, but I believe that the serial numbers are entered somewhere). I'd assumed that you were talking about the same thing; my point was just that the phone doesn't need to be pre-approved to run an enterprise app.
 
Last edited:
  • Like
Reactions: MacsRuleOthersDrool
mi7chy said:
Bingo. The only one who gets it. You've paid for the device but Apple take away your freedom to do whatever you wish with it. Imagine buying a Mac but Apple doesn't allow you to run emulators, Kodi, torrent clients, etc. Perhaps that's why they want to replace Macs with iPads to limit what you can do without going through their app store and services. Piracy is just a guise to take away your freedom and force upon a fascist authoritarian rule ecosystem.
Click to expand...
Then leave the Apple ecosystem. Nobody is going to listen to what one insignificant person has to say about this.
 
  • Like
Reactions: MacsRuleOthersDrool, MacNeb and thasan
cmaier said:
THis isn’t a loophole. It’s people violating the developer agreement they entered into.
Click to expand...
Yes because bad people play by the rules. LOL
noraa said:
If I recall correctly, there have been numerous instances in the past were developers were caught violating the enterprise certificates TOS - and said developers certificates were summarily revoked. My guess is that these stories are now making headlines specifically because of the recent FB and Google fiasco; and thus suddenly people are digging more into how the enterprise certificates work.

To those who think Apple is cracking down more because they only want people to go the App Store, or because they want more revenue from services, etc. you obviously haven't been paying too much attention to Apple since, well, forever. Apple has NEVER allowed public Apps outside the App Store, such a concept was probably never even a glimmer in Jobs or Cooks eye. You can argue all you want about Apple to taking too big a cut (30% is arguably too much), or the pitfalls of Apple's walled garden, or your frustrations with it, etc. The bottom line is Apple has always revoked enterprise certificates when they've been misused, and Apple will ALWAYS require developers to release their apps on the App Store.

The fact that we're hearing more about this is, like I said above, probably because of the FB and Google fiasco. In addition, other developers may be abusing the enterprise certificates more because jailbreaking is no longer a viable option - so if you want to provide an App that does things against the App Store TOS, the only way to do so without a jailbreak is by abusing the enterprise certificate.

Finally, I have a pretty strong feeling Apple will be making some sweeping changes to the certificate program to prevent these types of abuses moving forward.
[doublepost=1550121551][/doublepost]

Really? That's your takeaway from this?

Apple doesn't allow public Apps outside of the App Store - the App Store is the first, best, line of defense against malicious apps and malware. Apple provides the developer program and enterprise certificate specifically for companies to create app for internal use only - whether for testing purposes or for intra-organization purposes were distributing via the App Store would be cumbersome. Apple can't stop Devs from violating the TOS before they actually violate them...but they can respond immediately once a violation comes to light.

Quite honestly, Apple can only protect it's user so much - if a user chooses to install an enterprise certificate and get an App that way, that's on the user, not Apple.
Click to expand...
Ya because there’s NEVER been any nefarious apps slip through the screeners and make it onto the App Store. LOL
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back