Apple's Enterprise Developer Program Also Being Used to Distribute Hacked Apps

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 13, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Misuse of Apple's enterprise developer program certificates continues to make news, with a new report from Reuters outlining how software pirates have been using the program to distribute hacked versions of popular apps like Minecraft, Pokemon Go, Spotify, Angry Birds, and more.

    [​IMG]
    The software pirates in turn make money by charging some users annual subscription fees for "VIP" versions of their hacked apps that are "more stable than the free versions."

    After being alerted by Reuters to these developer accounts being used to distribute hacked apps, Apple removed a number of them, but more have since sprung up to take their place.

    Revelations regarding abuse of Apple's enterprise developer program surfaced late last month, led by word that Facebook and Google were using the program to distribute market research apps to users that were capable of tracking all of their online activity in exchange for rewards.

    Apple briefly revoked enterprise certificates for both companies, which had the side effect of temporarily disabling Facebook's and Google's internal apps including custom testing versions of their own public apps as well as private internal apps for corporate use such as transportation and food.

    And just yesterday, additional abuse of Apple's enterprise program came to light in the form of apps featuring adult content and gambling that can not be distributed through the traditional App Store due to Apple's rules prohibiting or limiting those types of content.

    Apple today announced that as of February 27, all developer accounts will require two-factor authentication to be turned on, a move that will help secure these accounts and limit their ability to be traded or sold amongst those seeking to skirt Apple's rules.

    Article Link: Apple's Enterprise Developer Program Also Being Used to Distribute Hacked Apps
     
  2. cmaier macrumors G5

    Joined:
    Jul 25, 2007
    Location:
    California
    #2
    Apples going to have to change how these things are signed to add limits. (Numeric? Geographic?)
     
  3. gplusplus macrumors newbie

    gplusplus

    Joined:
    Mar 5, 2018
  4. alien3dx macrumors 6502a

    alien3dx

    Joined:
    Feb 12, 2017
    #4
    i'm not sure this is true either ...it not about piracy but distribution ipa ..
     
  5. Junipr macrumors regular

    Junipr

    Joined:
    May 4, 2011
    #5
    What year is this, 2010??
     
  6. Pepe4life macrumors regular

    Pepe4life

    Joined:
    Nov 15, 2018
    #6
    People have been sideloading apps through this method for years. Apple is well aware of this. The fact that they are doing a massive crackdown now is probably because their revenue is increasingly dependant on the "services" category.

    Perhaps Tim can quit exerting so much control over what I want on my phone. Why can't I have torrent clients? Why can't I set custom DNS?
     
  7. I7guy macrumors P6

    I7guy

    Joined:
    Nov 30, 2013
    Location:
    Gotta be in it to win it
    #7
    Not surprising news about these enterprise certificates. Not the first time that I recall that they have made news for going against some TOS.
    --- Post Merged, Feb 13, 2019 ---
    So Apple cracking down is because of loss of revenue rather than adhering to a TOS. Interesting spin on that.
     
  8. Pepe4life macrumors regular

    Pepe4life

    Joined:
    Nov 15, 2018
    #8
    Apple has been revoking these certificates on a continuous basis throughout these years, it wasn't until recently that they issued massive ban waves. Perhaps you should read my full comment before embarrassing yourself. And yes, I am allowed to speculate.
     
  9. mi7chy, Feb 13, 2019
    Last edited: Feb 13, 2019

    mi7chy macrumors 603

    mi7chy

    Joined:
    Oct 24, 2014
    #9
    In other words, Apple wants to close loopholes to bypass Apple App Store and services to guarantee their 30% cut even for legit apps like Kodi. This is equivalent to if Google was to reverse their current policy by removing legit apps like Kodi from Google Play Store then disabling side loading of apps.
     
  10. Scooz macrumors 6502

    Joined:
    Apr 9, 2012
    #10
    Next: The hired consumer - or - how
    Apple’s app store policies lead to the development of new business models

    Thousands of interns at an app security testing company...

    Senior Consumer of Porn as a job title (Senior Consumptionist?). Looks great on any business card. Head of Consumption, Nudition specialist...

    Ah, the possibilities.

    Customer -> Product -> Workforce, seems like a natural progression

    The negative salary might look strange at first, but...

    What do you mean? Android?
     
  11. scrapesleon macrumors 6502a

    scrapesleon

    Joined:
    Mar 30, 2017
    Location:
    Jamaica
  12. racerhomie macrumors regular

    racerhomie

    Joined:
    Aug 14, 2015
    #12
    Apple never allowed this sort of abuse. It was done nonetheless. Go use android , if you want to install your favorite malware.
     
  13. cmaier macrumors G5

    Joined:
    Jul 25, 2007
    Location:
    California
    #13
    THis isn’t a loophole. It’s people violating the developer agreement they entered into.
     
  14. macfacts macrumors 68030

    macfacts

    Joined:
    Oct 7, 2012
    Location:
    Cybertron
    #14
    So apple is depending on honest devs to keep iOS users safe. Lol.
     
  15. noraa macrumors regular

    Joined:
    Jun 23, 2003
    #15
    If I recall correctly, there have been numerous instances in the past were developers were caught violating the enterprise certificates TOS - and said developers certificates were summarily revoked. My guess is that these stories are now making headlines specifically because of the recent FB and Google fiasco; and thus suddenly people are digging more into how the enterprise certificates work.

    To those who think Apple is cracking down more because they only want people to go the App Store, or because they want more revenue from services, etc. you obviously haven't been paying too much attention to Apple since, well, forever. Apple has NEVER allowed public Apps outside the App Store, such a concept was probably never even a glimmer in Jobs or Cooks eye. You can argue all you want about Apple to taking too big a cut (30% is arguably too much), or the pitfalls of Apple's walled garden, or your frustrations with it, etc. The bottom line is Apple has always revoked enterprise certificates when they've been misused, and Apple will ALWAYS require developers to release their apps on the App Store.

    The fact that we're hearing more about this is, like I said above, probably because of the FB and Google fiasco. In addition, other developers may be abusing the enterprise certificates more because jailbreaking is no longer a viable option - so if you want to provide an App that does things against the App Store TOS, the only way to do so without a jailbreak is by abusing the enterprise certificate.

    Finally, I have a pretty strong feeling Apple will be making some sweeping changes to the certificate program to prevent these types of abuses moving forward.
    --- Post Merged, Feb 13, 2019 ---
    Really? That's your takeaway from this?

    Apple doesn't allow public Apps outside of the App Store - the App Store is the first, best, line of defense against malicious apps and malware. Apple provides the developer program and enterprise certificate specifically for companies to create app for internal use only - whether for testing purposes or for intra-organization purposes were distributing via the App Store would be cumbersome. Apple can't stop Devs from violating the TOS before they actually violate them...but they can respond immediately once a violation comes to light.

    Quite honestly, Apple can only protect it's user so much - if a user chooses to install an enterprise certificate and get an App that way, that's on the user, not Apple.
     
  16. himanshumodi macrumors 6502

    himanshumodi

    Joined:
    May 18, 2012
    Location:
    India
    #16
    I didn't read the linked article, but how are developer certificates used to share applications with general users who aren't in the developer program?

    And does the article really imply that people are not paying the devs via the app store, but paying some random dude for apps? And angry birds and spotify? Do these "pirated" apps bypass IAPs and subscription charges somehow?
     
  17. jtara macrumors 68000

    Joined:
    Mar 23, 2009
  18. albebaubles macrumors 6502

    albebaubles

    Joined:
    Feb 9, 2010
    Location:
    low Sierra
    #18
    Yes, my enterprise account was sent a 2-factor auth email today....
     
  19. Michvuee macrumors newbie

    Joined:
    Jan 31, 2019
    #19
    They always revoke these apps every week but you can block the revokes with a VPN based adblocker like AdGuard. I admit I use Cercube 4 which give us no ads in Youtube(thank god) and the hacked Spotify to give me unlimited skips and Extreme audio(Spotify now banning people who us hacked apps but just create another account). Apple will always revoke these apps without refund and the people distributing them would need to pay for another enterprise license which is a couple hundred dollars every time. Always remember it’s the user that choose to download these interprise certificates and not Apple. Also App revenue is like $40 billion+ last year and will never allow these hacked apps in the App Store.
     
  20. jtara macrumors 68000

    Joined:
    Mar 23, 2009
    #20
    They aren't developer certificates. They are Enterprise Distribution Certificates.

    They are meant for companies to distribute apps for internal use through their own "app store".

    Such apps are not vetted by Apple. They aren't distributed in the App Store.

    They share them the same way that companies with internal apps share them within their companies. The devices have to be "enrolled" to the specific Enterprise program.

    Yes. They are not paying the devs. They are paying some random dude for hacked apps.

    It's unclear how some random dude gets the app in the first place. There may be a technical means to re-sign the .ipa. But in normal Enterprise distribution, there is re-signing, but it has to be done from a DEVELOPER build. Not a DISTRIBUTION build. (I think - going on a vague memory of a project I worked on a couple years ago, and I did not deal with the Enterprise distribution of the app - just did the development, some IT people at the company dealt with the distribution. They have a number of internal apps, and team that deals with the IT.)

    The random dude may be getting the source code from sloppy developers. The random dude may be buying the source code from some hacker that got it from sloppy developers. The random dude might have gotten necessary certificates from an Apple developer account of a sloppy developer. Any or all of the above. Bottom line is, some random dude has STOLEN some developer's work, and is selling it outside of the app store.

    The reason they have to do it outside of the App Store is because Apple won't allow a duplicate app to be sold in the App Store. If you steal the code for Angry Birds, and call it My Angry Birds. Or even Evil Bluejays - Apple is going to catch you and not allow it in the App Store.

    So, now we can put two and two together and see why Apple is forcing developers to use two-factor authentication to login to the developer portal now.

    Hey, AT LEAST Apple was checking for duplicate, pirated apps! Google did a HUGE purge a while back, of duplicate, pirated apps - that were being sold in the Play Store!

    Smart devs protect their apps in every way possible. Including encrypting everything you can get your hands on. Think your image files are unimportant? Think again. How much did you spend creating them? Apps are easily dissected if not carefully protected. Even if they don't get your code, if they get image files and database content, for example, they might have enough to make enough of a fake app (that doesn't really work, but LOOKS like yours) to scam people out of their money.
     
  21. cmaier macrumors G5

    Joined:
    Jul 25, 2007
    Location:
    California
    #21
    Only install software from the App Store instead of from dodgy torrents, and you’ll be more or less fine.
    --- Post Merged, Feb 13, 2019 ---
    Developers can sign apps with enterprise certificates obtained in accordance with an enterprise agreement with Apple, and then are authorized to distribute them to employees of the company they work for. It’s intended for things like in-house apps and customized software. But once they are signed, there’s nothing technically stopping them from being distributed to non-employees (other than the fact that they are violating the agreement with Apple).

    See: https://developer.apple.com/programs/enterprise/

    If someone hacks an App Store app to enable features that would ordinarily blocked by subscription fees, and signs the hacked apps with an enterprise certificate, you get what this article is talking about.
     
  22. mi7chy, Feb 13, 2019
    Last edited: Feb 13, 2019

    mi7chy macrumors 603

    mi7chy

    Joined:
    Oct 24, 2014
    #22
    Bingo. The only one who gets it. You've paid for the device but Apple take away your freedom to do whatever you wish with it. Imagine buying a Mac but Apple doesn't allow you to run emulators, Kodi, torrent clients, etc. Perhaps that's why they want to replace Macs with iPads to limit what you can do without going through their app store and services. Piracy is just a guise to take away your freedom and force upon a fascist authoritarian rule ecosystem.
     
  23. Nermal, Feb 13, 2019
    Last edited: Feb 14, 2019

    Nermal Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    New Zealand
    #23
    You don't need to enrol a phone; theoretically anyone can install an enterprise-signed app on any phone. I've tested this myself: I can install our in-house apps on my personal phone and nothing stops it.

    Edit: It seems from the replies that there is some confusion around terminology. All of our corporate-owned phones are "enrolled" somehow (I'm not sure of the specifics around this, but I believe that the serial numbers are entered somewhere). I'd assumed that you were talking about the same thing; my point was just that the phone doesn't need to be pre-approved to run an enterprise app.
     
  24. mariusignorello macrumors 65816

    Joined:
    Jun 9, 2013
    #24
    Then leave the Apple ecosystem. Nobody is going to listen to what one insignificant person has to say about this.
     
  25. timborama macrumors 6502

    timborama

    Joined:
    Oct 12, 2011
    #25
    Yes because bad people play by the rules. LOL
    Ya because there’s NEVER been any nefarious apps slip through the screeners and make it onto the App Store. LOL
     

Share This Page