Software pirates exploit feature in Apple’s App Store to upload fake versions of popular apps like Spotify and Minecraft to iPhones
- Shady services like TutuApp and Panda Helper are taking advantage of Apple’s enterprise certificates to distribute hacked versions of popular mobile apps
- Services have fake copies of iPhone apps like Spotify, Angry Birds and Minecraft
- The pirates are exploiting the same system taken advantage of by Facebook and Google, which were found to be distributing shady ‘research apps’ to users
Software pirates have hijacked technology designed by Apple to distribute hacked versions of Spotify, Angry Birds, Pokemon Go, Minecraft and other popular apps on iPhones, Reuters has found.
Illicit software distributors such as TutuApp, Panda Helper, AppValley and TweakBox have found ways to use digital certificates to get access to a program Apple introduced to let corporations distribute business apps to their employees without going through Apple’s tightly controlled App Store.
Using so-called enterprise developer certificates, these pirate operations are providing modified versions of popular apps to consumers.
Scroll down for video
Software pirates have hijacked technology designed by Apple to distribute hacked versions of Spotify, Angry Birds, Pokemon Go, Minecraft and other popular apps on iPhones
WHAT IS APPLE’S ENTERPRISE CERTIFICATE SYSTEM?
Apple’s enterprise certificate allows companies to test iPhone apps without going through the company’s typical app review process.
Often, companies use Apple’s Developer Enterprise Program to distribute apps internally before making them available to the public.
Developers will use it to test beta versions of apps, as well as host employee management apps.
The enterprise certificate system recently came to light when a report discovered Facebook and Google were taking advantage of it to distribute shady ‘research’ apps that paid teens to track their smartphone usage.
Apple has been gradually cracking down on abuse of its enterprise certificates.
This enables them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue.
By doing so, the pirate app distributors are violating the rules of Apple’s developer programs, which only allow apps to be distributed to the general public through the App Store.
Downloading modified versions violates the terms of service of almost all major apps.
TutuApp, Panda Helper, AppValley and TweakBox did not respond to multiple requests for comment.
Apple has no way of tracking the real-time distribution of these certificates, or the spread of improperly modified apps on its phones, but it can cancel the certificates if it finds misuse.
‘Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely,’ an Apple spokesperson told Reuters.
‘We are continuously evaluating the cases of misuse and are prepared to take immediate action.’
-
Teenagers expect to earn £70,000-a-year by age of 30 with…
Expensive sneakers DO make you a better runner! Top-of-the…
Older brothers really ARE the biggest bullies: Study of…
Facebook’s first president Sean Parker lashes out at tech…
Share this article
After Reuters initially contacted Apple for comment last week, some of the pirates were banned from the system, but within days they were using different certificates and were operational again.
‘There´s nothing stopping these companies from doing this again from another team, another developer account,’ said Amine Hambaba, head of security at software firm Shape Security.
Illicit software distributors such as TutuApp, Panda Helper, AppValley and TweakBox have found ways to exploit Apple’s enterprise certificate program to host fake versions of apps
Panda Helper, another software pirating service, offers hacked versions of Spotify, Snapchat, WhatsApp, Instagram and other popular iPhone apps, violating Apple’s App Store rules
Apple confirmed a media report on Wednesday that it would require two-factor authentication – using a code sent to a phone as well as a password – to log into all developer accounts by the end of this month, which could help prevent certificate misuse.
Major app makers Spotify Technology, Rovio and Niantic have begun to fight back.
Spotify declined to comment on the matter of modified apps, but the streaming music provider did say earlier this month that its new terms of service would crack down on users who are ‘creating or distributing tools designed to block advertisements’ on its service.
Rovio, the maker of Angry Birds mobile games, said it actively works with partners to address infringement ‘for the benefit of both our player community and Rovio as a business.’
Niantic, which makes Pokemon Go, said players who use pirated apps that enable cheating on its game are regularly banned for violating its terms of service.
Microsoft, which owns the creative building game Minecraft, declined to comment.
It is unclear how much revenue the pirate distributors are siphoning away from Apple and legitimate app makers.
TutuApp offers a free version of Minecraft, which costs $6.99 in Apple’s App Store.
WHY DID FACEBOOK’S RESEARCH APP GET BANNED BY APPLE?
Facebook has been forced to kill off a controversial app after it admitted to paying young people to install the ‘social media research’ app which monitors their web activity, according to reports.
The social media giant, which has been harangued for privacy breaches in recent months, recruited people aged from 13-35 to download the app on their devices.
Apple decided to ban the app, formerly known as Onavo VPN, from the app store because it violated its data collection policies.
But according to an investigation by TechCrunch, Facebook has sidestepped the App Store and paying users up to $20 a month, plus referral fees.
Facebook has admitted to paying young people to install a ‘social media research’ app which monitors their web activity, according to reports. Apple banned the app, formerly known as Onavo VPN, from the app store because it violated its data collection policies
Facebook later told TechCrunch it would shut down the iOS version of its Research app in the wake of the report – but that the Android version will continue.
An Apple spokesperson told TechCrunch: ‘We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization,’ said a spokesperson.
‘Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple.
‘Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.’
App Store rules stipulate that apps ‘should not collect information about which other apps are installed on a user’s device,’ according to Guardian Mobile Firewall’s security expert Will Strafach.
AppValley offers a version of Spotify’s free streaming music service with the advertisements stripped away.
The distributors make money by charging $13 or more per year for subscriptions to what they calls ‘VIP’ versions of their services, which they say are more stable than the free versions.
It is impossible to know how many users buy such subscriptions, but the pirate distributors combined have more than 600,000 followers on Twitter.
Security researchers have long warned about the misuse of enterprise developer certificates, which act as digital keys that tell an iPhone a piece of software downloaded from the internet can be trusted and opened.
They are the centerpiece of Apple’s program for corporate apps and enable consumers to install apps onto iPhones without Apple’s knowledge.
Apple last month briefly banned Facebook and Google from using enterprise certificates after they used them to distribute data-gathering apps to consumers.
The distributors of pirated apps seen by Reuters are using certificates obtained in the name of legitimate businesses, although it is unclear how.
Several pirates have impersonated a subsidiary of China Mobile Ltd. China Mobile did not respond to requests for comment.
Tech news website TechCrunch earlier this week reported that certificate abuse also enabled the distribution of apps for pornography and gambling, both of which are banned from the App Store.
Since the App Store debuted in 2008, Apple has sought to portray the iPhone as safer than rival Android devices because Apple reviews and approves all apps distributed to the devices.
Early on, hackers ‘jailbroke’ iPhones by modifying their software to evade Apple’s controls, but that process voided the iPhone’s warranty and scared off many casual users.
The misuse of the enterprise certificates seen by Reuters does not rely on jailbreaking and can be used on unmodified iPhones.
Source: Read Full Article