Recent reports have revealed that Apple’s Developer Enterprise program has been rife with abuse, ranging from invasive spyware created by two of the world’s largest tech companies to an underground hotbed of porn and gambling apps. While it may be hard to believe things could get any worse that that, a third category of abuse has now been discovered: hacked and pirated versions of legitimate apps like Spotify and Minecraft.
According to Reuters, a cabal of illicit software distributors have been using certificates issued under Apple’s Developer Enterprise program to distribute modified versions of many popular apps in order to circumvent payments or subscriptions, strip them of ads, or cheat in games, ultimately depriving Apple and the legitimate developers of revenue.
Of course, like Facebook, Google, and the plethora of porn and gambling apps, these pirate distributors are in an egregious violation of Apple’s Developer Enterprise program, although in this case it seems that their transgressions go far beyond a simple contractual violation, into the realm of blatant software piracy and theft of intellectual property.
Since the news of Facebook’s “research” app and Google’s similar ScreenWise app first broke late last month, Apple has been on a quest to hunt down and neuter the non-compliant certificates, and has been doing so with extreme prejudice; Facebook and Google both had their Enterprise certificates revoked within 24 hours of the discovery of their invasive “research” apps, wreaking havoc in both companies as they sought a return to Apple’s good graces, and Apple has of course been doing the same with the collection of porn and gambling apps discovered earlier this week. However, it now appears that the company is facing an uphill struggle as more and more abuses are found.
However, the recent revelations also highlight a clear failure on the part of Apple to police its Developer Enterprise program. At best, Apple has been too trusting in assuming that developers would abide by the terms of their license agreements — something that clearly even Facebook and Google didn’t do — but as reported yesterday, the problem goes far deeper, with indications that Apple didn’t exercise anything close to its usual diligence in even controlling admission to the program, allowing Enterprise developers to gain admission with little to no verification that they were even a part of the company that they claimed to represent, leaving a great deal of room for fraudulent applications under assumed company names.
Some of the distributors have also been discovered using enterprise certificates that have been stolen from legitimate developers, making the issue even harder for Apple to police. It’s become a cat-and-mouse game, with Reuters noting that as fast as the pirates’ certificates were banned, they popped up again within days using different certificates — either ones that were newly acquired through an underground black market for developer certificates, or “sleeper” certificates that the pirate distributors have been sitting on without using. In the case of the pirated apps identified by Reuters, the distributors were using certificates that were obtained in the name of legitimate businesses, such as subsidiaries of China Mobile.
Unfortunately, Apple has no way of tracking apps that are signed with enterprise certificates. The nature of the program, which is designed exclusively to allow large companies to deploy in-house apps to their employees, relies on direct distribution of apps. Once Apple provides a certificate to a company under the Developer Enterprise program, that developer is free to create as many apps as they like signed by that certificate. Apple’s only resource when a violation is discovered is to revoke the certificate entirely, rendering all of the apps signed by that certificate inoperable.
Apple recently sent out an e-mail to all registered developers advising them that, as of February 27, two-factor authentication will be required on all Apple Developer accounts and Certificates, Identifiers & Profiles. Although Apple doesn’t provide any specific explanation for this requirement, the timing strongly suggests that the move is directly related to the recent spate of abuses.
While Apple continues to look for other ways to close what has clearly become a massive hole in its famous walled garden, the app makers affected by this piracy are taking steps of their own to fight back. Spotify told Reuters that its recently updated terms of service will crack down on users who are “creating or distributing tools designed to block advertisements” on the music service, while Rovio noted that it “actively works with partners to address infringement” and Niantic added that it regularly bans players who use pirated apps to enable cheating. Microsoft, the owner of Minecraft, declined to comment.
The pirate distributors, who collectively have more than 600,000 followers on Twitter, make money by charging for subscriptions to access “VIP” versions of their services, providing free versions of apps like Minecraft that normally require purchase from the App Store, and ad-stripped versions of Spotify’s free streaming music service. There’s no easy way to confirm how much money these distributors are making, nor how much money legitimate developers are losing, but there’s clearly enough to make it worth it for the pirate companies to keep at it.
Piracy of legitimate iOS apps is not at all new — it goes back to the very early days of the App Store — however in the past it’s traditionally required users to jailbreak their iPhones in order to side load completely unsigned apps. Apple’s efforts to make jailbreaking more difficult and less worthwhile has likely resulted in that aspect of the privacy market drying up, forcing these companies to look for other ways to get their apps onto users’ devices. Apple’s Developer Enterprise program has proven to be a perfect opportunity for this, allowing apps to be installed on any iPhone, iPad, or iPod touch. Apple’s only recourse is to continue hunting down and revoking the certificates that are being misused, while also tightening up its Developer Enterprise program in the process, both in terms of the requirements for admission and the auditing of companies participating in the program. Sadly, it seems like this will ultimately make life more complicated for legitimate members of the Developer Enterprise program.