Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Pirates Use Apple Tech To Put Hacked Apps on iPhones (reuters.com)

Posted by msmash on from the opening-pandora-box dept.

Pirates used Apple's enterprise developer certificates to put out hacked versions of some major apps, a report said Thursday. From the report: Illicit software distributors such as TutuApp, Panda Helper, AppValley and TweakBox have found ways to use digital certificates to get access to a program Apple introduced to let corporations distribute business apps to their employees without going through Apple's tightly controlled App Store. Using so-called enterprise developer certificates, these pirate operations are providing modified versions of popular apps to consumers, enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue. By doing so, the pirate app distributors are violating the rules of Apple's developer programs, which only allow apps to be distributed to the general public through the App Store. Downloading modified versions violates the terms of service of almost all major apps.

23 of 38 comments (clear)

  1. This gem... by JD-1027 · · Score: 5, Funny

    By doing so, the pirate app distributors are violating the rules of Apple's developer programs

    Someone should probably let the pirates know. I'm sure they'd like to comply.

  2. A reckoning is coming by Anubis+IV · · Score: 1

    This is the same thing that Facebook and Google were recently caught doing, except for even more illicit purposes. Apple hasn't been policing this space at all up to this point, since they've intentionally been hands-off with how enterprises choose to use their own certificates, so long as the enterprises keep their certificates to themselves. Now that it's clear that hasn't been happening, I suspect changes may be coming in the next year or two to how enterprise certificates operate.

    1. Re: A reckoning is coming by PhYrE2k2 · · Score: 2

      That is how you register an enterprise device. By installing the certificate in it. That enables trusting of apps, configuration profiles, and VPN connections.

      --

      when you see the word 'Linux', drink!
    2. Re:A reckoning is coming by DontBeAMoran · · Score: 1

      Proper security is usually painful.

      --
      #DeleteFacebook
    3. Re: A reckoning is coming by DontBeAMoran · · Score: 1

      That's only one direction of security. The certificates allow the devices to run the software from the enterprise. But it does not protect the software from in-house leaks or abuse such as in these cases.

      --
      #DeleteFacebook
    4. Re: A reckoning is coming by guruevi · · Score: 1

      What you're proposing is a DRM scheme, none of them really work because you always need access to the code that is executing on your machine.

      These cases, the user is basically circumventing the app store completely so there is nothing Apple can do to stop distributing these applications and the user that installs them is thoroughly warned that these enterprise connections allow the creator to pretty much push any configuration they want, whether it's rerouting all the traffic through a VPN or bricking the phone.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  3. Oh my goodness! by silverkniveshotmail. · · Score: 2

    Hackers are modifying software and allowing it into the hands of other users? This changes everything.

    1. Re: Oh my goodness! by cyber-vandal · · Score: 1

      Yes mate the privately-owned App Store is a perfect example of Marxism

  4. Not to be a pedant by SlaveToTheGrind · · Score: 1

    but did the users actually agree to the terms of service of the original app when they installed a modified version?

    1. Re:Not to be a pedant by Falos · · Score: 1

      >did the doublebad villains actually agree*
      ftfy

      They are "depriving companies of revenue" and that's the definition of treason in my country.

  5. As usual... by DontBeAMoran · · Score: 2

    The weakest link in hardware/software security is people.

    To summarize: people are a problem. - Douglas Adams (short version of the original to better fit the topic)

    --
    #DeleteFacebook
  6. Get me a way to supress YouTube ads on Android by bogaboga · · Score: 1

    enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue.

    Imagine, you're listening to something really interesting, which captures your entire mind, when an ad strikes...bam...!!!

    Not good.

    I would be most grateful if there was a way to cheaply stem these YouTube ads.

    Google's fees in order to avoid them is insane. It's just costs too much.

    1. Re:Get me a way to supress YouTube ads on Android by Solandri · · Score: 1

      Just browse YouTube in Firefox in private mode. It has a built-in ad blocker. There's probably a way to enable the ad-blocker in regular browsing mode, but I usually browse in private mode all the time for the extra anonymity so haven't looked for it.

  7. EULAs by GrahamJ · · Score: 1

    The great thing about EULAs is that it's not illegal to break them. It's understandable that Apple doesn't want you to do these things, but we're free to do what we want with our purchased hardware from a legal standpoint.

  8. Why doesn't Apple revoke the certificates? by nuckfuts · · Score: 1

    Why doesn't Apple revoke the certificates and then provide new ones to the legitimate enterprises? Isn't that the reason Certificate Revocation Lists were invented - to stop the use of compromised certificates?

    1. Re:Why doesn't Apple revoke the certificates? by guruevi · · Score: 1

      They do.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Why doesn't Apple revoke the certificates? by nuckfuts · · Score: 1

      Are you sure? If the certificates have been revoked, why would an iPhone allow the app to be installed?

    3. Re:Why doesn't Apple revoke the certificates? by guruevi · · Score: 2

      Because these things happen before Apple finds out and revokes the certificate. Apple has no involvement with Enterprise apps, they don't distribute them. Until someone complains, they don't know, these "companies" also buy massive numbers of certificates under various names, not just one, when one gets revoked, they just buy and/or use another one

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  9. Or maybe it's a sign? by Solandri · · Score: 1

    That people want to run stuff on their iPhones without having to get Apple's approval for it first?

    I'll repeat. I think Google has the best model here. They run the Play Store for apps, and control what is/isn't allowed in that store. But if a user wants to run stuff installed outside the Play Store, they just need to change a single setting on their phone (which pops up a warning about what you are doing), and it'll allow them to install apps from other sources. It's up to the user to decide which apps they can/can't run.

    Apple's model of forcing everyone to comply with their wishes is essentially a dictatorship. They decide what users can/can't do.

    1. Re:Or maybe it's a sign? by divide+overflow · · Score: 1

      Apple's model of forcing everyone to comply with their wishes is essentially a dictatorship. They decide what users can/can't do.

      Dictatorships don't give you the choice of leaving the dictatorship. You can always pony up the cash and buy an Android phone and its crappy security.

    2. Re:Or maybe it's a sign? by tlhIngan · · Score: 1

      That people want to run stuff on their iPhones without having to get Apple's approval for it first?

      Which since iOS 8 you could and even run a rich assortment of free (Open and Free) software that Apple has never allowed. Emulators are especially popular and I think there's a front end to pick choose and install those apps and install them.

    3. Re:Or maybe it's a sign? by DeVilla · · Score: 1

      I would concede that Google has a better model than Apple here. Far better is possible and has been implemented in other systems.

      Two things I would like to see added to Android:
      - I trust this app that I am explicitly loading / updating.
      - I trust apps from these specific stores (list which may or may not include Google's store)

      In other words, I don't want to have to cripple all security just to use fdroid with or instead of the play store.

  10. Who cares? by b0s0z0ku · · Score: 1

    I'd count it as a good thing that there are some cracks in the Walls of the Garden...