STE WILLIAMS

Apple’s easily abused Enterprise Certificate program isn’t just letting snoopy Facebook and Google apps slide into its App Store, it turns out: It’s also being exploited by, at the very least, a dozen hardcore porn apps and a dozen gambling apps.

Last week, Facebook’s Research app – that paid people, including teens, to install a Virtual Private Network (VPN) app that planted a root certificate on their phones and thereby got nearly limitless access to their devices – got booted out of Apple’s App Store. The Research app had managed to crawl into the App Store via Apple’s Enterprise Certificate program: a certificate granted with the understanding that installation of root certificates must only be used for “specific business purposes” and “only for use by your employees” …not by consumers whose data Facebook was sucking up.

Within hours, Google found itself apologizing for doing something similar.

Now, it’s apparent how easy it is to use that enterprise certificate to sneak apps past the content policies that Apple tries to enforce to keep the App Store wholesome – as in, stocked with well-behaved apps that don’t gobble up data and content that’s not pushing “explicit descriptions or displays of sexual organs or activities intended to stimulate erotic rather than aesthetic or emotional feelings.”

According to Tech Crunch, the developers behind the gambling and porn apps have either passed what it calls Apple’s “weak” Enterprise Certificate screening process or piggybacked onto a legitimate approval.

Apple was swift to react when Tech Crunch broke the news about Facebook’s and Google’s “clear breach” of its certificate policies. After briefly revoking the companies’ certificates (for all apps, including those that were, per Apple’s policy, used by employees), Apple has over the past few days gone on a bit of an app-disabling spree. Thus have some of the dozens of porn and gambling apps that Tech Crunch initially found in the App Store gone bye-bye.

As of Tuesday, still-functioning porn apps included Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow and AVBobo, and the gambling apps still available included RD Poker and RiverPoker. As of Wednesday, Banana Video, for one, was still hanging in there.

How ‘iPorn’ et al. tiptoes into the App Store

All developers have to do to get an enterprise certificate is to fill out an online form, fork over $299, hand over an easily found D-U-N-S business ID number (Apple provides a tool to look it up) and business address, and use an up-to-date Mac. Tech Crunch’s Josh Constine even found these step-by-step directions on how to get an Apple enterprise app developer license.

Then, the developers sit back and wait for a call from Apple. It takes one to four weeks. The last step: lie to the Apple rep about plans to only distribute the apps internally.

Often, part of the ruse is for these violative apps to hide behind company names that obscure their real purpose: for example, Tech Crunch found such business names as Interprener, Mohajer International Communications, Sungate and AsianLiveTech. Constine says that he also came across what appeared to be “forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses.” From his report:

Dragon Gaming was registered to U.S. gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet Furniture Co.

Apple will send the apps – and maybe their devs – packing

Apple wouldn’t explain how these apps are getting past its vetting to get into the Enterprise Certificate app program. Nor would it discuss whether it will change how it deals with its enterprise program, including whether it will in the future follow up to see if apps that get in are, or remain, compliant, or if it plans to change its admission process. It did, though, give Tech Crunch a statement about its plans to shut down such apps and potentially to ban the developers from building iOS products:

Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Z3GuTqaP3dY/