An avalanche of reports over the last two weeks have shown that Facebook, Google, Amazon, as well as purveyors of explicit content and real-money gambling have been abusing the Apple Developer Enterprise Program, intended for Apple-approved organizations to test and distribute apps specifically for internal use. Software pirates have gotten in on the action as well, distributing “hacked versions of Spotify, Angry Birds, Pokemon Go, Minecraft and other popular apps on iPhones,” according to a Reuters report late Wednesday.
The evidently widespread abuse of the program casts doubt about Apple’s claim of better security on iOS—while installing these apps requires end users to perform a series of steps to manually install the applications, Apple appears to be unsuccessful in building a wall to keep unapproved applications off of iPhones and iPads. That said, while Google would not allow pirated content to proliferate in the Play Store, sideloading apps is easily possible. Amazon operates a competing App Store for Android, which is made possible by this sideloading capability.
SEE: IoT security: A guide for IT leaders (Tech Pro Research)
The pirated apps in question remove advertisements, or provide apps for free which otherwise require purchase in the App Store. Reuters reported that “The distributors of pirated apps… are using certificates obtained in the name of legitimate businesses, although it is unclear how.” The verification process for businesses relies on a DUNS ID, which is easily searchable on the web for any arbitrary business, TechCrunch reported Tuesday. Their investigation unearthed seemingly unrelated businesses, such as a California furniture company and a Québec gravel company.
Apple has no apparent way of tracking the use of enterprise certificates, though the company has not hesitated to revoke certificates—rendering currently-installed apps signed with the certificates inoperable—in the event of abuse. This was similar to the case with the “Facebook Research” VPN that paid users between ages 13 and 25 up to $20 per month, in addition to referral fees, to install the app allowing the social media giant to track all activity that occurred on the phone.
Apple will begin to require two-factor authentication to log in to developer accounts, but it is unclear how this will prevent certificate misuse if the certificate was granted as a result of identity theft, the report said.
The big takeaways for tech leaders:
- Software pirates are abusing the Apple Developer Enterprise Program to distribute hacked versions of pirated apps. — Reuters, 2019
- The pirated apps in questions essentially remove advertisements, or provide for free apps which require purchase in the App Store. — Reuters, 2019