In the wake of controversy surrounding Facebook’s unauthorized use of the Developer Enterprise Program that permits Apple-approved organizations to test and distribute apps specifically for internal use—prompting Apple to revoke Facebook’s signing certificate—more organizations were found abusing the program, according to a report in TechCrunch on Tuesday.
The report claims Apple “doesn’t adequately enforce” policies prohibiting businesses from distributing apps only to their employees, likewise, the verification process for businesses is rather minimal, relying on a DUNS ID and a phone call. Some of the authorizations were made fraudulently, as a DUNS ID is easily searchable on the web, and some of the apps unearthed in the investigation were assigned to unrelated certificate holders, such as a California furniture company and a Québec gravel company, reported TechCrunch.
SEE: Job description: iOS developer (Tech Pro Research)
Naturally, the illicit content provided by the apps would not be allowed in the App Store. Apple has consistently positioned itself as the arbiter of what is and is not allowed, in terms of content, in the App Store. While Google would similarly not allow this content to proliferate in the Play Store proper, the differentiating factor is Apple provides no official way for apps to be sideloaded, while the presence of this ability in Android led to third-party app stores trafficking such content. Both approaches have their own downsides: Android has more frequent incidents of malicious APKs distributed outside the Play Store, and the “walled garden” reputation of iOS makes it unsuitable for users wishing to use anything outside of Apple orthodoxy, such as emulators.
Given Apple’s interest in maintaining control over iOS, it would—from an implementation standpoint—make slightly more sense to assign devices to a specific organization, and push internal-only apps through the App Store, giving the company oversight into how the Developer Enterprise Program is used and preventing these types of abuses.
In contrast to the Facebook Research and Google Screenwise debacles late last month, the report indicated none of the off-limits apps were attempting to access private data. Apple again granted permission to Facebook and Google to use the service at the beginning of February.
The big takeaways for tech leaders:
- Organizations are using the Apple Developer Enterprise Program to distribute apps purveying hardcore pornography and real-money gambling, in violation of Apple’s policies. — TechCrunch, 2019
- Falsifying developer information when applying to the program appears to be relatively trivial, as information needed can be found using web searches.