Apple Enterprise Certificates leveraged to distribute hacked versions of popular apps

As detailed by Reuters, app distributors like TutuApp, Panda Helper, AppValley and TweakBox are abusing developer certificates to disseminate modified, and therefore illicit, versions of legitimate apps for profit.

Depending on the app, users are able to stream music without paying subscription fees, block advertisements and bypass in-app purchases, the report said. The practice not only cheats app makers out of revenue, but also hurts Apple's bottom line as the company takes a 15 percent to 30 percent cut of all App Store purchases.

Examples of so-called hacked apps include TutuApp's Minecraft, which sells for $6.99 on the App Store, while AppValley offers a version of Spotify that lets users listen to the service's free tier without commercial interruptions. The number of altered apps in circulation is unknown, and Apple is unable to track dissemination in real time.

Like the recent kerfuffle involving data gathering apps from Facebook and Google, Apple's Enterprise Certificate program is at the crux of the issue.

The Developer Enterprise Program was designed to give companies an easy method of distributing software among employees without first passing through strict App Store oversight. Developer certificates are often used to issue working betas, internal personnel management apps and other software not developed for public consumption.

Distributors like TutuApp and AppValley are violating Apple's terms of use by leveraging developer certificates to offer the modified app versions to iOS users.

Reuters contacted Apple about the issue last week, and the company subsequently killed a number of apps mentioned in the report by pulling the developer certificates that were used for their distribution. Within days, however, the same apps were back up for download under newly obtained certificates. Exactly how the illicit distributors are able to gain access to developer certificates is unknown, though some were found to have impersonated an unnamed subsidiary of China Mobile.

The Enterprise Developer Program has been a topic of hot discussion over the past month as consecutive investigations from TechCrunch revealed both Facebook and Google were using the certificates to run data gathering operations. In both cases, enterprise privileges were employed to sideload user-monitoring VPN apps on the iPhones of volunteers. In exchange for their participation, users were compensated with money and gift cards.

Apple revoked Facebook's certificate a day the report went live, later pulling Google's certificate as well. Privileges were restored in both cases.

More recently, a report on Tuesday detailed a number of pornography and gambling apps that used enterprise certificates as a workaround to App Store scrutiny. At the time, Apple said it is monitoring the situation and will take action when necessary. An identical statement was issued to Reuters on Wednesday.

"Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action."