Apple's Enterprise Program Has Been Abused By Pirates To Share Hacked iOS Apps
Where there is a will, there is a way, and that is proven time again when it comes to pirated software. In earlier days, that entailed cracking copyright protections on an assortment of programs—games, productivity tools, and so forth. That still exists, of course, but nowadays some of the focus has shifted to mobile. Case in point, software pirates have found a way to dole out hacked versions of popular apps to iPhone devices.
Apple has mechanisms in place to prevent this sort of thing, but several software distributors are using digital certificates to push hacked apps through Apple's Enterprise Developer program.
Those distributors include AppValley, Panda Helper, TutuApp, and TweakBox, according to Reuters, and they are pushing modified versions of Angry Birds, Minecraft, Pokemon Go, Spotify, and other popular apps. Why bother? The modified apps allow users to stream music without adds and alter the rules in games, among other things. In the case of paid apps, they also bypass fees.
In case anyone is wondering, the answer is yes, this most definitely runs afoul of Apple's rules for its developer program. Apple only allows apps to be distributed to the general public through its App Store, and pushing out hacked versions is against Apple's terms of service.
“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely," an Apple spokesperson said. "We are continuously evaluating the cases of misuse and are prepared to take immediate action."
Unfortunately for Apple, some of these app distributors are both determined and persistent. Even after banning some offending app distributors, they were right back at it under a different name using different certificates.
One thing that could help put a stop to this—or at least throw a major wrench into the operation—is an upcoming requirement that developer accounts use two-factor authentication. That requirement is supposed to go into effect later this month.
Still, we have our doubts it will stop completely. These distributors have a financial interest in continuing their exploits. Some of them charge annual fees, and in return subscribers can download paid apps for free. So, there is a lot of money (and motivation) to keep these illicit operations going.