iPhone Hackers Are Using Apple's Own Developer Certificates Against It
Apple's once-innocuous enterprise certificates have been in the news a lot lately. First it was revealed that both Facebook and Google were using enterprise certificates to deliver data-collecting apps to iPhone users. Apple offers those enterprise certificates so businesses can test apps internally without having to publish them to the App Store first, so obviously, the way Facebook and Google were using them doesn't really line up with their intended purpose.
Then, just a few days ago, we learned that other companies were abusing enterprise certificates to bypass the App Store entirely and distribute gambling and pornography apps to users. As if that weren't enough, a new report today claims even more abuse of iOS enterprise certificates, and this time the offending companies are using them to hand out hacked versions of popular apps.
Reuters reports that distributors including TutuApp, Panda Helper, TweakBox, and App Valley are abusing these certificates to deal out hacked installs of apps like Spotify, Pokemon GO, and Minecraft. Users who download these illicit apps generally get some kind of paid-for content for free. In the case of Spotify, for instance, users are able to listen to ad-free music without paying for a Premium subscription first. Minecraft, on the other hand, is offered for free by these distributors, while it costs $6.99 to download from the App Store.
Naturally, this is a big problem for both the creators of these apps and Apple, as it means they miss out on revenue. Reuters notes that the distributors of these apps make their money by offering subscriptions to "VIP" versions of hacked software in exchange for yearly fees that start at $13 and go up from there.
Apple, for its part, maintains that it will disable the enterprise certificates of companies found to be abusing them and remove offending distributors from the iOS Developer Program entirely if the situation calls for it. Even then, it's fairly easy to obtain a new enterprise certificate and continue distributing hacked apps, so Apple is now looking to implement a two-factor authentication system that will help curb abuse.
Apple says that two-factor authentication for developer accounts should be live by the end of the month, so we'll see soon enough if it helps stop the distribution of hacked apps like Spotify and Minecraft. For now, though, it's clear that enterprise certificates in their current state have a lot of potential for abuse, and that probably isn't something that can persist if Apple wants to keep its biggest app partners happy.