Rival tech giants like Google and Facebook aren’t the only companies abusing Apple’s enterprise certifications to distribute unapproved apps in the Apple App Store on iOS, according to reports from Reuters and TechCrunch.
App Store Real Gambling
You can win an Apple smart watch, a $1,000 gift card to buy Apple products, a free Apple iPhone 11 Pro Max, a free iPhone 8, a free iPhone X, a free MacBook, and a free iPad Pro. If you’re looking for a legit free iPhone giveaway in 2020 this list is for you. Good luck, we hope you win big! Win a Free iPhone 11 Pro. Since Apple does not send this in PDF format we have to manually print PDF and then send it in to our accounting system. And if the email is trapped in our spam filter, we need to log on to iTunes store, find the actual purchase there, take a screen shot (because printing from iTunes stor account is not possible), convert the screen shot to pdf.
Apple’s Enterprise Developer Program is intended to facilitate distribution of apps across devices internally within corporations, governments, and other organizations. Apple explicitly forbids its use for any other purpose in its terms of service.But the Reuters report describes the use of enterprise certificates to distribute pirated versions of popular iOS software like Minecraft, Spotify, and Pokémon Go. For example, a free version of Minecraft (which is normally a premium app) is distributed by TutuApp using the method. Another pirate distributor, AppValley, offers a version of the Spotify app with the ads that support Spotify and the music artists stripped out completely.
The distributors impersonate legitimate businesses to gain access to Apple’s enterprise certification program and tools. They also offer both free versions of their services as well as cheap annual subscriptions that are priced at a point the legitimate services from which they steal could never viably match.
Earlier this week, a TechCrunch investigation also discovered a 'dozen hardcore-pornography apps and a dozen real-money gambling apps that escaped Apple's oversight.' Like the pirated apps, these apps bypassed Apple's App Store, given that Apple would not have approved them otherwise.
Apple has been criticized many times in the past for the App Store's stringent app-approval policy, and those critics remain. However, others have praised Apple for cracking down on apps that violate user privacy, can be used for bullying or abuse, or spread disinformation. Though the company's track record is not perfect there, that doesn't seem to be for lack of trying.
Advertisement Some competing platforms like Google Play and Android have less-stringent approvals and are more permissive still of sideloading apps that could not be distributed in the Google Play store. In this sense, the App Store and Google Play represent two competing philosophies, and those philosophies may often be deciding factors for users choosing between platforms.Apple Store Gambling App
Many of Apple's customers choose the platform expecting those policies to be enforced, so the company tends to move aggressively to address loopholes and other problems. And, of course, protecting Apple's ability to take a revenue cut on all app transactions is important for the company's business, as it relies more and more on services revenue (an umbrella that includes the App Store) as iPhone sales slow. We've also written before about the security ramifications about loopholes like this.
To those ends, Apple provided identical statements to both TechCrunch and Reuters on the subject of unapproved app distribution through the enterprise program:
Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.
Even when it was Google and Facebook violating Apple's policies, Apple didn't hesitate to pull certification—though it negotiated to reinstate those certifications quickly. But with so many potential abuses by so many possible actors, it looks like Apple will be playing a difficult game of whack-a-mole to enforce its policies while retaining functionality and features for legitimate and compliant enterprise customers.As a first step in its efforts to tackle these abuses, Apple announced this week that it will require developer accounts to use two-factor authentication. We'll have to wait and see if other new actions are coming, but it seems likely.
Apple’s easily abused Enterprise Certificate program isn’t just enabling snoopy Facebook and Google apps. It’s also being exploited by at least a dozen hardcore porn apps and a dozen gambling apps.
Last week, Facebook’s Research app – that paid people, including teens, to install a Virtual Private Network (VPN) app that planted a root certificate on their phones to get access to traffic from other apps – got the boot from Apple. The Research app was created under Apple’s Enterprise Certificate program, a way of creating non-App Store apps that are used for “specific business purposes” and “only for use by your employees” …not by consumers whose data Facebook was sucking up.
Within hours, Google found itself apologizing for doing something similar.
Now, it’s apparent how easy it is to use enterprise certificates to avoid the App Store’s content policies prohibiting apps that show “explicit descriptions or displays of sexual organs or activities intended to stimulate erotic rather than aesthetic or emotional feelings.”
According to Tech Crunch, the developers behind the gambling and porn apps have either passed what it calls Apple’s “weak” Enterprise Certificate screening process or piggybacked onto a legitimate approval.
Apple was swift to react when Tech Crunch broke the news about Facebook’s and Google’s “clear breach” of its certificate policies. After briefly revoking the companies’ certificates (for all apps, including those that were, per Apple’s policy, used by employees), Apple has over the past few days gone on a bit of an app-disabling spree. Some of the dozens of porn and gambling apps that Tech Crunch initially found have vanished in the process.
As of Tuesday, still-functioning porn apps included Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow and AVBobo, and the gambling apps still available included RD Poker and RiverPoker. As of Wednesday, Banana Video, for one, was still hanging in there.
How ‘iPorn’ et al. get enterprise certificates
All developers have to do to get an enterprise certificate is to fill out an online form, fork over $299, hand over an easily found D-U-N-S business ID number (Apple provides a tool to look it up) and business address, and use an up-to-date Mac. Tech Crunch’s Josh Constine even found these step-by-step directions on how to get an Apple enterprise app developer license.
Then, the developers sit back and wait for a call from Apple. It takes one to four weeks. The last step: lie to the Apple rep about plans to only distribute the apps internally.
Often, part of the ruse is for these violative apps to hide behind company names that obscure their real purpose: for example, Tech Crunch found such business names as Interprener, Mohajer International Communications, Sungate and AsianLiveTech. Constine says that he also came across what appeared to be “forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses.” From his report:
Dragon Gaming was registered to U.S. gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet & Furniture Co.
Apple will send the apps – and maybe their devs – packing
Apple Store Gambling Games
Last week, Facebook’s Research app – that paid people, including teens, to install a Virtual Private Network (VPN) app that planted a root certificate on their phones to get access to traffic from other apps – got the boot from Apple. The Research app was created under Apple’s Enterprise Certificate program, a way of creating non-App Store apps that are used for “specific business purposes” and “only for use by your employees” …not by consumers whose data Facebook was sucking up.
Within hours, Google found itself apologizing for doing something similar.
Now, it’s apparent how easy it is to use enterprise certificates to avoid the App Store’s content policies prohibiting apps that show “explicit descriptions or displays of sexual organs or activities intended to stimulate erotic rather than aesthetic or emotional feelings.”
According to Tech Crunch, the developers behind the gambling and porn apps have either passed what it calls Apple’s “weak” Enterprise Certificate screening process or piggybacked onto a legitimate approval.
Apple was swift to react when Tech Crunch broke the news about Facebook’s and Google’s “clear breach” of its certificate policies. After briefly revoking the companies’ certificates (for all apps, including those that were, per Apple’s policy, used by employees), Apple has over the past few days gone on a bit of an app-disabling spree. Some of the dozens of porn and gambling apps that Tech Crunch initially found have vanished in the process.
As of Tuesday, still-functioning porn apps included Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow and AVBobo, and the gambling apps still available included RD Poker and RiverPoker. As of Wednesday, Banana Video, for one, was still hanging in there.
How ‘iPorn’ et al. get enterprise certificates
All developers have to do to get an enterprise certificate is to fill out an online form, fork over $299, hand over an easily found D-U-N-S business ID number (Apple provides a tool to look it up) and business address, and use an up-to-date Mac. Tech Crunch’s Josh Constine even found these step-by-step directions on how to get an Apple enterprise app developer license.
Then, the developers sit back and wait for a call from Apple. It takes one to four weeks. The last step: lie to the Apple rep about plans to only distribute the apps internally.
Often, part of the ruse is for these violative apps to hide behind company names that obscure their real purpose: for example, Tech Crunch found such business names as Interprener, Mohajer International Communications, Sungate and AsianLiveTech. Constine says that he also came across what appeared to be “forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses.” From his report:
Dragon Gaming was registered to U.S. gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet & Furniture Co.
Apple will send the apps – and maybe their devs – packing
Apple Store Gambling Games
App Store Gambling Games
Apple wouldn’t explain how these apps are getting past its vetting to get into the Enterprise Certificate app program. Nor would it discuss whether it will change how it deals with its enterprise program, including whether it will in the future follow up to see if apps that get in are, or remain, compliant, or if it plans to change its admission process. It did, though, give Tech Crunch a statement about its plans to shut down such apps and potentially to ban the developers from building iOS products:
Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.
