Software pirates use Apple’s enterprise certificates to release hacked iPhone apps

Developers of ‘pirate’ apps have distributed hacked versions of popular iPhone apps such as Spotify, Minecraft, and Pokémon GO, according to a Reuters report.

Enterprise developer certificates are being used to allow consumers to stream music without ads and to circumvent fees and rules in games, which deprives Apple and third-party software companies of potential revenue.

By distributing a cloned version of these apps, pirate app developers are breaking the rules of Apple’s developer programs, which state apps can only be distributed to the public through the App Store.

Users that are downloading cracked versions of original apps located on Apple’s App Store are also violating the terms of the service.

Enterprise developer certificates

Software distributors like TutuApp, Panda Help, AppValley, and TweakBox did not respond to a request to comment, Reuters said.

According to the report, Apple has no way of tracking the spread of pirated apps on its phones but can revoke the certificates if it finds misuse.

“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely,” an Apple spokesperson told Reuters. “We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

It remains unclear how illegal app distributors are able to gain access to developer certificates, but developers like TutuApp, Panda Help, AppValley, and TweakBox have found ways to abuse developer certificates to distribute modified apps to business employees without having to go through Apple’s App Store vetting process.

Some of the pirated apps were banned last week, but a few days later, they reappeared on the system by using different certificates.

“There’s nothing stopping these companies from doing this again from another team, or another developer account,” said Amine Hambaba, head of security at software firm, Shape Security.

Two-factor authentication

On Wednesday (Feb.13th) Apple confirmed that all developer accounts will require two-factor authentication (2FA) to be turned on, which they claim, could help prevent certificate misuse.

Spotify declined to comment on the matter but previously said that its new terms of service would crack down on users who are “creating or distributing tools designed to block advertisements”.

Niantic Labs, the augmented-reality game company that made Pokémon Go, said that players that use pirated apps are regularly banned. Microsoft Corp, which owns the hit game Minecraft, also declined to a request to comment.

Related Posts