Network-assessment

Bad news for iPhone users! Apple technology has been hijacked by software pirates and used to put hacked apps on iPhones.

Reuters reports that software pirates, using hijacked Apple technology, have distributed hackers’ versions of some popular apps, including Spotify, Angry Birds, Pokemon Go and Minecraft.

As per the report from Reuters, illicit software distributors like Panda Helper, TutuApp, TweakBox, AppValley etc have now devised ways to use digital certificates to gain access to an Apple program which lets corporations distribute apps to their employees bypassing Apple’s App Store.

The Reuters report explains, “Using so-called enterprise developer certificates, these pirate operations are providing modified versions of popular apps to consumers, enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue.”

“By doing so, the pirate app distributors are violating the rules of Apple’s developer programs, which only allow apps to be distributed to the general public through the App Store. Downloading modified versions violates the terms of service of almost all major apps,” adds the report.

Though Apple cannot track the distribution of these certificates or the spread of these hacked apps, it can terminate certificates upon detecting misuse as it would be a violation of the Apple Developer Enterprise Program Agreement. Still, this doesn’t solve the issue. Apple had banned some of the software pirates from its system after it was contacted by Reuters for comment, but the pirates soon bounced back using different certificates. The issue is that the software pirates can go on playing mischief using different developer accounts. However, Apple has decided to combat this by introducing two-factor authentication for developer log-in; this would come into effect by the end of the month. Thus, developers would then have to use a code that will be sent to their phones, in addition to their password, to log in. This would help prevent misuse of certificates for such malicious purposes.

Reuters had tried to get comments from TutuApp, Panda Helper, AppValley and TweakBox, but they didn’t respond to the requests. However, some of the app makers who were impacted by such incidents have started fighting back, according to Reuters.

“Major app makers Spotify Technology SA, Rovio Entertainment Oyj and Niantic Inc have begun to fight back,” says the Reuters report. It adds, “Spotify declined to comment on the matter of modified apps, but the streaming music provider did say earlier this month that its new terms of service would crack down on users who are “creating or distributing tools designed to block advertisements” on its service.”

The report also says that Rovio (maker of Angry Birds mobile games) actively works with partners to address infringement, and Niantic (maker of Pokemon Go) bans players using pirated apps for violating its terms of service.

The misuse of enterprise developer certificates has already been an issue faced by Apple, which has always tried to portray the iPhone as much safer than Android phones, especially since all apps that are distributed to iPhones need to be reviewed and approved by Apple. The misuse of enterprise developer certificates, however, is causing a big headache to Apple on this count.

The Reuters report points out- “Security researchers have long warned about the misuse of enterprise developer certificates, which act as digital keys that tell an iPhone a piece of software downloaded from the internet can be trusted and opened. They are the centerpiece of Apple’s program for corporate apps and enable consumers to install apps onto iPhones without Apple’s knowledge.”

“The distributors of pirated apps seen by Reuters are using certificates obtained in the name of legitimate businesses, although it is unclear how. Several pirates have impersonated a subsidiary of China Mobile Ltd. China Mobile did not respond to requests for comment”, adds the report.

A rather shocking thing is that software pirates have now started using certificate abuse to distribute pornography and gambling-related apps too. (Such apps are banned from Apple’s App Store).

It’s also to be noted that the software pirates who are misusing enterprise developer certificates don’t have to rely on jailbreaking and hence they can play mischief on unmodified iPhones. Well, the two-factor authentication that would become mandatory for developer log-in must put an end to this menace and protect iPhone users from such software pirates.

Post a comment