Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Pirates Use Apple Tech To Put Hacked Apps on iPhones (reuters.com)

Posted by msmash on from the opening-pandora-box dept.

Pirates used Apple's enterprise developer certificates to put out hacked versions of some major apps, a report said Thursday. From the report: Illicit software distributors such as TutuApp, Panda Helper, AppValley and TweakBox have found ways to use digital certificates to get access to a program Apple introduced to let corporations distribute business apps to their employees without going through Apple's tightly controlled App Store. Using so-called enterprise developer certificates, these pirate operations are providing modified versions of popular apps to consumers, enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue. By doing so, the pirate app distributors are violating the rules of Apple's developer programs, which only allow apps to be distributed to the general public through the App Store. Downloading modified versions violates the terms of service of almost all major apps.

38 comments

  1. This gem... by JD-1027 · · Score: 5, Funny

    By doing so, the pirate app distributors are violating the rules of Apple's developer programs

    Someone should probably let the pirates know. I'm sure they'd like to comply.

    1. Re: This gem... by Anonymous Coward · · Score: 0

      True, they had No way to know.. poor things

    2. Re: This gem... by Anonymous Coward · · Score: 0

      Not their fault they are in a story where a digital certificate is called "Apple tech". I bet they also didn't know they are stealing technology from fruit baskets!!

  2. A reckoning is coming by Anubis+IV · · Score: 1

    This is the same thing that Facebook and Google were recently caught doing, except for even more illicit purposes. Apple hasn't been policing this space at all up to this point, since they've intentionally been hands-off with how enterprises choose to use their own certificates, so long as the enterprises keep their certificates to themselves. Now that it's clear that hasn't been happening, I suspect changes may be coming in the next year or two to how enterprise certificates operate.

    1. Re:A reckoning is coming by DontBeAMoran · · Score: 0

      Maybe only allow certificates to be used on devices registered with the enterprises themselves?

      --
      #DeleteFacebook
    2. Re: A reckoning is coming by PhYrE2k2 · · Score: 2

      That is how you register an enterprise device. By installing the certificate in it. That enables trusting of apps, configuration profiles, and VPN connections.

      --

      when you see the word 'Linux', drink!
    3. Re:A reckoning is coming by Anonymous Coward · · Score: 0

      That would be painful for companies who wishes to distribute in-house apps to their franchisees.

    4. Re:A reckoning is coming by Anonymous Coward · · Score: 0

      I find it iPossible to believe they're not aware of these app stores / signing services. All they'd have to do is ID the cert they're using and revoke it, same as they did for Google and FB. They're not going to revamp the whole program overnight for a couple shady services with a few hundred users.

    5. Re:A reckoning is coming by DontBeAMoran · · Score: 1

      Proper security is usually painful.

      --
      #DeleteFacebook
    6. Re: A reckoning is coming by DontBeAMoran · · Score: 1

      That's only one direction of security. The certificates allow the devices to run the software from the enterprise. But it does not protect the software from in-house leaks or abuse such as in these cases.

      --
      #DeleteFacebook
    7. Re: A reckoning is coming by guruevi · · Score: 1

      What you're proposing is a DRM scheme, none of them really work because you always need access to the code that is executing on your machine.

      These cases, the user is basically circumventing the app store completely so there is nothing Apple can do to stop distributing these applications and the user that installs them is thoroughly warned that these enterprise connections allow the creator to pretty much push any configuration they want, whether it's rerouting all the traffic through a VPN or bricking the phone.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  3. Oh my goodness! by silverkniveshotmail. · · Score: 2

    Hackers are modifying software and allowing it into the hands of other users? This changes everything.

    1. Re:Oh my goodness! by Anonymous Coward · · Score: 0

      Just goes to show how powerful propaganda and socialism are to what you think is OK and not OK. This will probably be considered as bad as smoking pot (that is, lots of people will do it, but no one will want to admit it) in the not so distant future. Software is not meant to be modified will be the refrain. It's unethical, they'll say on the TV. And people will just believe that.

    2. Re: Oh my goodness! by cyber-vandal · · Score: 1

      Yes mate the privately-owned App Store is a perfect example of Marxism

  4. Not to be a pedant by SlaveToTheGrind · · Score: 1

    but did the users actually agree to the terms of service of the original app when they installed a modified version?

    1. Re:Not to be a pedant by Falos · · Score: 1

      >did the doublebad villains actually agree*
      ftfy

      They are "depriving companies of revenue" and that's the definition of treason in my country.

  5. As usual... by DontBeAMoran · · Score: 2

    The weakest link in hardware/software security is people.

    To summarize: people are a problem. - Douglas Adams (short version of the original to better fit the topic)

    --
    #DeleteFacebook
  6. I'm fairly sure this breaks their hearts by Opportunist · · Score: 0

    ...depriving Apple and legitimate app makers of revenue. By doing so, the pirate app distributors are violating the rules of Apple's developer programs, which only allow apps to be distributed to the general public through the App Store. Downloading modified versions violates the terms of service of almost all major apps.

    Here's an iPhone. Call someone who gives a shit.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Get me a way to supress YouTube ads on Android by bogaboga · · Score: 1

    enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue.

    Imagine, you're listening to something really interesting, which captures your entire mind, when an ad strikes...bam...!!!

    Not good.

    I would be most grateful if there was a way to cheaply stem these YouTube ads.

    Google's fees in order to avoid them is insane. It's just costs too much.

    1. Re: Get me a way to supress YouTube ads on Android by Anonymous Coward · · Score: 0

      The ad in the middle of a stream is up to the content provider, not YouTube.

    2. Re:Get me a way to supress YouTube ads on Android by Solandri · · Score: 1

      Just browse YouTube in Firefox in private mode. It has a built-in ad blocker. There's probably a way to enable the ad-blocker in regular browsing mode, but I usually browse in private mode all the time for the extra anonymity so haven't looked for it.

  8. EULAs by GrahamJ · · Score: 1

    The great thing about EULAs is that it's not illegal to break them. It's understandable that Apple doesn't want you to do these things, but we're free to do what we want with our purchased hardware from a legal standpoint.

    1. Re:EULAs by Anonymous Coward · · Score: 0

      For now that is. It used to not be illegal to run a cheat program, but doing a memory trainer on a local game can earn you a visit from the Feds for CFAA violations, or using someone else's saved game can get you banned for life.

      I'm just waiting for Apple to be in code that gets the phone provider to brick and blacklist the phone, from the cell modem side (the side that is isolated from the ARM computer), ensuring that attempted jailbreaks result in fried phones. Then, a law ensuring jailbreaking is illegal.

      Huawai really would love this law as well, as they have been cracking down on unlocked bootloaders. However, they are a Chinese company and have nothing to hide by obfuscating thier stuff.

  9. Why doesn't Apple revoke the certificates? by nuckfuts · · Score: 1

    Why doesn't Apple revoke the certificates and then provide new ones to the legitimate enterprises? Isn't that the reason Certificate Revocation Lists were invented - to stop the use of compromised certificates?

    1. Re:Why doesn't Apple revoke the certificates? by guruevi · · Score: 1

      They do.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Why doesn't Apple revoke the certificates? by nuckfuts · · Score: 1

      Are you sure? If the certificates have been revoked, why would an iPhone allow the app to be installed?

    3. Re:Why doesn't Apple revoke the certificates? by guruevi · · Score: 2

      Because these things happen before Apple finds out and revokes the certificate. Apple has no involvement with Enterprise apps, they don't distribute them. Until someone complains, they don't know, these "companies" also buy massive numbers of certificates under various names, not just one, when one gets revoked, they just buy and/or use another one

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  10. YouTube has ads? by Anonymous Coward · · Score: 0

    My hosts.txt-based ad blocker (AdAway) worked fine, before I moved it to my ARM home server that’s also its own independent DNS. (With my own CA and "cloud", faking Google's and Mozilla's services, among others.)

    This is /., so it should be doable for you too.

  11. Mmmmmmmmmm. . . by Anonymous Coward · · Score: 0

    Panda Helper

  12. Or maybe it's a sign? by Solandri · · Score: 1

    That people want to run stuff on their iPhones without having to get Apple's approval for it first?

    I'll repeat. I think Google has the best model here. They run the Play Store for apps, and control what is/isn't allowed in that store. But if a user wants to run stuff installed outside the Play Store, they just need to change a single setting on their phone (which pops up a warning about what you are doing), and it'll allow them to install apps from other sources. It's up to the user to decide which apps they can/can't run.

    Apple's model of forcing everyone to comply with their wishes is essentially a dictatorship. They decide what users can/can't do.

    1. Re:Or maybe it's a sign? by Anonymous Coward · · Score: 0

      You got to install Antivirus because of that on Android where as in iOS you don't need to. I prefer latter.

    2. Re:Or maybe it's a sign? by divide+overflow · · Score: 1

      Apple's model of forcing everyone to comply with their wishes is essentially a dictatorship. They decide what users can/can't do.

      Dictatorships don't give you the choice of leaving the dictatorship. You can always pony up the cash and buy an Android phone and its crappy security.

    3. Re:Or maybe it's a sign? by tlhIngan · · Score: 1

      That people want to run stuff on their iPhones without having to get Apple's approval for it first?

      Which since iOS 8 you could and even run a rich assortment of free (Open and Free) software that Apple has never allowed. Emulators are especially popular and I think there's a front end to pick choose and install those apps and install them.

    4. Re:Or maybe it's a sign? by DeVilla · · Score: 1

      I would concede that Google has a better model than Apple here. Far better is possible and has been implemented in other systems.

      Two things I would like to see added to Android:
      - I trust this app that I am explicitly loading / updating.
      - I trust apps from these specific stores (list which may or may not include Google's store)

      In other words, I don't want to have to cripple all security just to use fdroid with or instead of the play store.

  13. Who cares? by b0s0z0ku · · Score: 1

    I'd count it as a good thing that there are some cracks in the Walls of the Garden...

  14. computing by Anonymous Coward · · Score: 0

    computin dmu final exam by tilay

    1. Re:computing by Anonymous Coward · · Score: 0

      computin dmu final exam by tilay

      hack