Abuse of Apple’s Developer Enterprise Program for Porn, Gambling Apps Uncovered

When news broke last month that Facebook had been abusing Apple’s Developer Enterprise program to create an extremely invasive research app, the most surprising part of the revelations were not that Facebook was conducting invasive research — after all, that’s become par for the course for the social media giant in recent years — but rather that the company was able to so easily bypass Apple’s tightly controlled app ecosystem to deploy something so egregious to end users.

Not long after the news broke about Facebook’s app, Google decided to come clean with the admission that it had been doing pretty much the same thing for years. Now a new report reveals that Facebook and Google were far from the only companies violating the terms of Apple’s Developer Enterprise agreements.

According to TechCrunch, which first broke the news about Facebook’s impudence, there’s actually a huge underground marketplace of hardcore pornography apps and real-money gambling apps that have been able to bypass Apple’s App Store review process by abusing the company’s Developer Enterprise program to create apps that can be sent directly to users and side loaded on iPhones and iPads without any direct involvement by Apple.

While the apps in question aren’t as insidious as Facebook’s “research” app, they still flagrantly violate Apple’s content policies and wouldn’t have even gotten past the first stage of the App Store Review process. However, the use of the Developer Enterprise program to release these apps means that they actually never need to even be seen by Apple, much less go through any kind of approval process.

To be clear, however, Apple does have a great deal of indirect responsibility for this — companies applying for the Developer Enterprise Program have to be screened and approved by Apple. However, once Apple lets a company in, they’re given carte blanche to publish as many of their own apps as they want to, although according to each company’s contract with Apple, such apps are only to be distributed to employees within their own organization. In fact, Apple’s license agreement for Enterprise Developers explicitly prohibits the use of applications released under the program by non-employees except under the direct supervision of an employee on the company’s own premises.

Although Apple doesn’t vet the apps released under its Developer Enterprise Program, it does still control the certificate used to allow the apps to run on its iOS devices. Apps developed under the program will not function on an iPhone or iPad without a valid certificate installed, and Apple has the power to revoke the certificate at any time — as it did in Facebook’s case earlier this month — rendering all of a company’s apps completely non-functional.

However, as the TechCrunch report notes, Apple has been lax — or perhaps simply naive — in administering its Enterprise Developer Program, allowing “companies” to join without the necessary due diligence to ensure that they’re even who they claim to be, and relying exclusively on its contractual agreements with participating developers to guarantee that they will not abuse the program. TechCrunch outlines how a prospective “Enterprise Developer” can apply simply by filling out an online form, paying the $299 registration fee, and then providing additional information that can easily be forged, such as providing a DUNS business ID number that can be found using a tool that Apple itself provides.

With just a few lies on the phone and web plus some Googleable public information, sketchy developers can get approved for an Apple Enterprise Certificate.

Although Apple reps do make a phone call to applicants asking them to confirm that they’ll only distribute apps internally and that they’re authorized to represent their business, it appears that no actual verification is required for this process — something that is even more odd in light of the requirement for standard iOS Developers to provide actual legal paperwork such as business certificates and articles of incorporation before they are approved to operate on behalf of a company. However, the laxer standards of the Developer Enterprise Program may be partly due to the lack of any financial relationship between Apple and its Enterprise developers; in short, Enterprise developers aren’t actually selling apps, and therefore aren’t receiving money from Apple.

What is clear, however, is that Apple needs to be less trusting of its Enterprise developers and start actually policing the program. The investigation by TechCrunch revealed a staggering number of policy-violating apps, with “thousands of sites” offering “Enterprise” apps that could be installed directly onto iOS devices, and TechCrunch was able to verify 12 pornography and 12 gambling apps that could easily be installed on a standard, non-jailbroken iPhone but would have been unequivocally prohibited from the App Store. The apps in question offered streaming of pay-per-view hardcore pornography or allowed users to gamble with real money.

The Enterprise certificates that need to be installed to enable these apps do include the name of the company that is ostensibly behind each app, but as TechCrunch points out, in many cases the certificates had innocuous company names on them unrelated to the true purpose of the apps. In some cases, the certificates were issued to the actual company developing the apps, while others clearly seemed to be have been fraudulently obtained in the names of legitimate businesses that would have nothing to do with app development, such as gravel suppliers and furniture companies. In some cases, certificates that were otherwise obtained and used by legitimate Enterprise developers were stolen and sold on underground websites. TechCrunch also compiled a full list of the offending apps that it found.

To Apple’s credit, it does seem to be taking some action following these revelations, with TechCrunch reporting that some of the offending apps have already been disabled, although many still remain operational. However, it seems that it’s only a matter of time before Apple tracks down and revokes all of the certificates involved. However, the company offered no explanation as to how these apps slipped into the program, whether it ever does any compliance audits on program developers, or what it’s going to do to police its program in the future, although an Apple spokesperson made it very clear that it will enforce the terms of its agreements with developers and has a zero-tolerance policy for abuses.

Comment

Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.

Apple spokesperson

Additional research revealed that none of the apps appeared to actually be misappropriating user data, or installing VPN-like services in the way that Facebook and Google did. In all cases the offending apps simply appeared to be seeking to use Apple’s Developer Enterprise program to bypass the family-friendly App Store. As TechCrunch notes, it’s somewhat ironic that two of the top U.S. tech companies “were more aggressive about collecting user data than shady Chinese porn and gambling apps,” but regardless of what the apps were actually doing, the potential for abuse through Apple’s Developer Enterprise program is reason enough for Apple to be taking decisive action to tighten up its program.