Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple Enterprise Certificates leveraged to distribute hacked versions of popular apps

Last updated

A report Wednesday added to escalating controversy regarding Apple's Enterprise Certificate program, saying the tool is being used to distribute hacked versions of popular apps, effectively sidestepping stringent App Store guidelines.

As detailed by Reuters, app distributors like TutuApp, Panda Helper, AppValley and TweakBox are abusing developer certificates to disseminate modified, and therefore illicit, versions of legitimate apps for profit.

Depending on the app, users are able to stream music without paying subscription fees, block advertisements and bypass in-app purchases, the report said. The practice not only cheats app makers out of revenue, but also hurts Apple's bottom line as the company takes a 15 percent to 30 percent cut of all App Store purchases.

Examples of so-called hacked apps include TutuApp's Minecraft, which sells for $6.99 on the App Store, while AppValley offers a version of Spotify that lets users listen to the service's free tier without commercial interruptions. The number of altered apps in circulation is unknown, and Apple is unable to track dissemination in real time.

Like the recent kerfuffle involving data gathering apps from Facebook and Google, Apple's Enterprise Certificate program is at the crux of the issue.

The Developer Enterprise Program was designed to give companies an easy method of distributing software among employees without first passing through strict App Store oversight. Developer certificates are often used to issue working betas, internal personnel management apps and other software not developed for public consumption.

Distributors like TutuApp and AppValley are violating Apple's terms of use by leveraging developer certificates to offer the modified app versions to iOS users.

Reuters contacted Apple about the issue last week, and the company subsequently killed a number of apps mentioned in the report by pulling the developer certificates that were used for their distribution. Within days, however, the same apps were back up for download under newly obtained certificates. Exactly how the illicit distributors are able to gain access to developer certificates is unknown, though some were found to have impersonated an unnamed subsidiary of China Mobile.

The Enterprise Developer Program has been a topic of hot discussion over the past month as consecutive investigations from TechCrunch revealed both Facebook and Google were using the certificates to run data gathering operations. In both cases, enterprise privileges were employed to sideload user-monitoring VPN apps on the iPhones of volunteers. In exchange for their participation, users were compensated with money and gift cards.

Apple revoked Facebook's certificate a day the report went live, later pulling Google's certificate as well. Privileges were restored in both cases.

More recently, a report on Tuesday detailed a number of pornography and gambling apps that used enterprise certificates as a workaround to App Store scrutiny. At the time, Apple said it is monitoring the situation and will take action when necessary. An identical statement was issued to Reuters on Wednesday.

"Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action."



9 Comments

anonconformist 9 Years · 200 comments

Note to self: determine if there’s a way to detect if your certificate is the one being used, and make the iOS application mangle data randomly if not!

mac_dog 16 Years · 1084 comments

No more consequences for bad behavior anywhere, it seems. 

Apple should suspend pend their licenses for 5 years if their certificate rules are violated. 

As it is, they only get a slap on the wrist and everything is back to normal. 

davgreg 9 Years · 1050 comments

No pun intended, who is minding the store, Mr Cook?

First things first, and security should be at the top of the list. 

indieshack 9 Years · 336 comments

davgreg said:
No pun intended, who is minding the store, Mr Cook?

First things first, and security should be at the top of the list. 

It's relatively easy to abuse, that's why Apple puts some effort (it's not exhaustive) to verify the company. It used to be even easier to abuse - until a couple of years ago, Enterprise-signed apps would simply work when installed, now you need to delve into settings to approve them. Some people will find a way to abuse trust.

larryjw 9 Years · 1036 comments

Corruption is the modus operandi of American companies.