Apple‘s tightly controlled App Store has seen hackers exploit developer certificates to distribute hacked versions of some iOS apps. These software pirates abused Apple developer certificates to slip hacked apps onto the Apple App Store.
A Reuters investigation showed a number of illicit distributors using digital certificates to share the hacked apps. Apps including Spotify, Angry Birds, Pokemon Go, and Minecraft were included in the mix of applications with hacked versions. Reuters named distributors like Panda Helper, TutuApp, and AppValley as being behind the rogue software. These distributors are doing this by using enterprise certificates designed to distribute business apps to employees without going through the App Store.
Distributors like TutuApp make money by charging subscription fees to use their services. They do this outside of the iOS framework, circumventing Apple’s security and terms of service. Apple cannot track the real-time distribution of enterprise certificates, nor can it determine how widespread these apps are. The company is able to cancel any certificates if it finds they’re being misused. Niantic, the developer of Pokemon Go, regularly bans users who cheat in the online-connected game.
By using these enterprise developer certificates, pirates are able to provide modified versions of consumer apps to iOS users. Modifications include circumventing fees, streaming music without ads, and playing full versions of games without paying. These distributors can purchase the enterprise Apple certificates for $299 according to TechCrunch.
TechCrunch also reported that this Apple developer certificate loophole is being used to distribute porn and gambling apps on iOS devices. Pornography and gambling apps are banned from the App Store, as Apple tries to portray a “safer” image than rivals. TechCrunch was able to download a number of illicit apps over the past week, each using the same enterprise certificate loophole.
Apple is currently investigating ways to close the loophole and prevent illegal or illicit apps from entering the iOS ecosystem. On Wednesday, the company said it would begin to require two-factor authentication to log use Apple developer certificates by the end of February.