Illicit parties leverage Apple Enterprise Certificates to distribute hacked versions of popular apps


A report Wednesday added to escalating controversy regarding Apple's Enterprise Certificate program, saying the program is being used to distribute hacked versions of popular apps, effectively sidestepping stringent App Store guidelines.


As detailed by Reuters, illicit app distributors like TutuApp, Panda Helper, AppValley and TweakBox are abusing developer certificates to disseminate modified versions of legitimate apps.

Depending on the app, users are able to stream music without paying subscription fees, block advertisements and bypass in-app purchases, the report said. The practice not only cheats legitimate app makers out of revenue, but also hurts Apple's bottom line as the company takes a 15 percent to 30 percent cut of all App Store purchases.

Examples of so-called hacked apps include TutuApp's Minecraft, which sells for $6.99 on the App Store, while AppValley offers a version of Spotify that lets users listen to the service's free tier without commercial interruptions.

Like the recent kerfuffle involving data gathering apps from Facebook and Google, Apple's Enterprise Certificate program is at the crux of the hacked app issue.

The Developer Enterprise Program was designed to give companies an easy method of distributing apps among employees without first passing through strict App Store oversight. Developer certificates are often used to issue working betas, internal personnel management apps and other software not developed for public consumption.

Distributors like TutuaApp and AppValley are violating Apple's terms of use by leveraging developer certificates to offer the modified app versions to iOS users.

Reuters contacted Apple about the issue last week, and the company subsequently killed a number of apps mentioned in the report by pulling the developer certificates that were used for distribution. Within days, however, the apps were back up for download under newly obtained certificates. Exactly how the illicit parties are able to gain access to developer certificates is unknown, though some were found to have impersonated an unnamed subsidiary of China Mobile.

Apple's Enterprise Developer Program has been a topic of hot discussion over the past month as consecutive investigations from TechCrunch revealed both Facebook and Google were using the certificates to run data gathering operations. In both cases, developer certificates were employed to sideload user-monitoring VPN apps on target iPhones. In exchange for their participation, users were compensated with money and gift cards.

Apple revoked Facebook's certificate a day the report went live, later pulling Google's certificate as well. Privileges were restored within a day.

More recently, a report on Tuesday detailed a number of porn and gambling apps apps that used enterprise certificates as a workaround to App Store scrutiny. At the time, Apple said it is monitoring the situation and will take action when necessary. An identical statement was issued to Reuters on Wednesday.

"Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action."


Source link