Apple has an issue on its hands, and it turns out it is much bigger than it was originally thought.
It was discovered recently that Facebook was abusing Apple’s Enterprise Certificate Program, which allowed it to dole out access to a VPN iOS app that could track and monitor a wide range of information from participants’ iPhones. Facebook had its certificate program access removed by Apple, but it was shortly restored after the social network disabled the infringing app.
If that wasn’t bad enough, Google was discovered to be doing the same thing for years, even including teenagers in the mix. Apple disabled that company’s access to the certificate program as well, but ultimately restored access after Google removed the app in question. Of course, it was also reported that those two companies weren’t the only ones infringing on the rules.
But now just how deep the issue runs is getting even more attention. A new report this week from TechCrunch details that a variety of different adult-focused apps, including ones with adult content, including but not limited to, gambling, are also abusing the certificates program.
As it stands, the publication says it was able to download and test a dozen different infringing apps:
“TechCrunch was able to download and verify 12 pornography and 12 real-money gambling apps over the past week that were abusing Apple’s Enterprise Certificate system to offer apps prohibited from the App Store. These apps either offered streaming or pay-per-view hardcore pornography, or allowed users to deposit, win, and withdraw real money — all of which would be prohibited if the apps were distributed through the App Store.”
The enterprise program is designed for businesses to quickly and easily side-load apps onto devices or internal use. However, it appears that the rather easy rules for a business to actually join the enterprise program are part of the problem. Devs just need to pay $299 and fill out a form to be accepted into the program. That isn’t a hefty fee, and it is apparently doing very little to stymie the individuals who would like to abuse the system in place.
To make matters worse, it sounds like there is a pretty lucrative black market for enterprise certificates, too:
“Strafach explained how “A significant number of the Enterprise Certificates used to sign publicly available apps are referred to informally as ‘rogue certificates’ as they are often not associated with the named company. There are no hard facts to confirm the manner in which these certificates originate, but the result of the initial step is that individuals will gain control of an Enterprise Certificate attributable to a corporation, usually China/HK-based. Code services are then sold quietly on Chinese language marketplaces, resulting in sometimes 5 to 10 (or more) distinct apps being signed with the same Enterprise Certificate.” We found Sungate and Mohajer Certificates were farmed out for use by multiple apps in this way.
“In my experience, Enterprise Certificate signed apps available on independent websites have not been harmful to users in a malicious sense, only in the sense that they have broken the rules” Strafach notes. “Enterprise Certificate signed apps from these Chinese ‘helper’ tools, however, have been a mixed bag. Zoe example, in multiple cases, we have noticed such apps with additional tracking and adware code injected into the original now-repackaged app being offered.”
Apple, for its part, has reportedly disabled a variety of the apps so far. That is good news in itself, but one has to hope that the company is taking a closer look at how this is possible in the first place, and why it’s so easy to take advantage of the program itself. Changes obviously need to be implemented, and soon.[via TechCrunch]