Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Piracy Businesses The Internet Apple Technology

Software Pirates Use Apple Tech To Put Hacked Apps on iPhones (reuters.com) 38

Pirates used Apple's enterprise developer certificates to put out hacked versions of some major apps, a report said Thursday. From the report: Illicit software distributors such as TutuApp, Panda Helper, AppValley and TweakBox have found ways to use digital certificates to get access to a program Apple introduced to let corporations distribute business apps to their employees without going through Apple's tightly controlled App Store. Using so-called enterprise developer certificates, these pirate operations are providing modified versions of popular apps to consumers, enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue. By doing so, the pirate app distributors are violating the rules of Apple's developer programs, which only allow apps to be distributed to the general public through the App Store. Downloading modified versions violates the terms of service of almost all major apps.
This discussion has been archived. No new comments can be posted.

Software Pirates Use Apple Tech To Put Hacked Apps on iPhones

Comments Filter:
  • This gem... (Score:5, Funny)

    by JD-1027 ( 726234 ) on Thursday February 14, 2019 @11:14AM (#58121150)

    By doing so, the pirate app distributors are violating the rules of Apple's developer programs

    Someone should probably let the pirates know. I'm sure they'd like to comply.

  • This is the same thing that Facebook and Google were recently caught doing, except for even more illicit purposes. Apple hasn't been policing this space at all up to this point, since they've intentionally been hands-off with how enterprises choose to use their own certificates, so long as the enterprises keep their certificates to themselves. Now that it's clear that hasn't been happening, I suspect changes may be coming in the next year or two to how enterprise certificates operate.

    • Maybe only allow certificates to be used on devices registered with the enterprises themselves?

      • That is how you register an enterprise device. By installing the certificate in it. That enables trusting of apps, configuration profiles, and VPN connections.

        • That's only one direction of security. The certificates allow the devices to run the software from the enterprise. But it does not protect the software from in-house leaks or abuse such as in these cases.

          • by guruevi ( 827432 )

            What you're proposing is a DRM scheme, none of them really work because you always need access to the code that is executing on your machine.

            These cases, the user is basically circumventing the app store completely so there is nothing Apple can do to stop distributing these applications and the user that installs them is thoroughly warned that these enterprise connections allow the creator to pretty much push any configuration they want, whether it's rerouting all the traffic through a VPN or bricking the p

    • That people want to run stuff on their iPhones without having to get Apple's approval for it first?

      I'll repeat. I think Google has the best model here. They run the Play Store for apps, and control what is/isn't allowed in that store. But if a user wants to run stuff installed outside the Play Store, they just need to change a single setting on their phone (which pops up a warning about what you are doing), and it'll allow them to install apps from other sources. It's up to the user to decide which a
      • Apple's model of forcing everyone to comply with their wishes is essentially a dictatorship. They decide what users can/can't do.

        Dictatorships don't give you the choice of leaving the dictatorship. You can always pony up the cash and buy an Android phone and its crappy security.

      • by tlhIngan ( 30335 )

        That people want to run stuff on their iPhones without having to get Apple's approval for it first?

        Which since iOS 8 you could and even run a rich assortment of free (Open and Free) software that Apple has never allowed. Emulators are especially popular and I think there's a front end to pick choose and install those apps and install them.

      • by DeVilla ( 4563 )

        I would concede that Google has a better model than Apple here. Far better is possible and has been implemented in other systems.

        Two things I would like to see added to Android:
        - I trust this app that I am explicitly loading / updating.
        - I trust apps from these specific stores (list which may or may not include Google's store)

        In other words, I don't want to have to cripple all security just to use fdroid with or instead of the play store.

  • by silverkniveshotmail. ( 713965 ) on Thursday February 14, 2019 @11:16AM (#58121160) Journal
    Hackers are modifying software and allowing it into the hands of other users? This changes everything.
  • but did the users actually agree to the terms of service of the original app when they installed a modified version?

    • by Falos ( 2905315 )

      >did the doublebad villains actually agree*
      ftfy

      They are "depriving companies of revenue" and that's the definition of treason in my country.

  • by DontBeAMoran ( 4843879 ) on Thursday February 14, 2019 @11:17AM (#58121166)

    The weakest link in hardware/software security is people.

    To summarize: people are a problem. - Douglas Adams (short version of the original [quotationspage.com] to better fit the topic)

  • ...depriving Apple and legitimate app makers of revenue. By doing so, the pirate app distributors are violating the rules of Apple's developer programs, which only allow apps to be distributed to the general public through the App Store. Downloading modified versions violates the terms of service of almost all major apps.

    Here's an iPhone. Call someone who gives a shit.

  • enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue.

    Imagine, you're listening to something really interesting, which captures your entire mind, when an ad strikes...bam...!!!

    Not good.

    I would be most grateful if there was a way to cheaply stem these YouTube ads.

    Google's fees in order to avoid them is insane. It's just costs too much.

    • Just browse YouTube in Firefox in private mode. It has a built-in ad blocker. There's probably a way to enable the ad-blocker in regular browsing mode, but I usually browse in private mode all the time for the extra anonymity so haven't looked for it.
  • The great thing about EULAs is that it's not illegal to break them. It's understandable that Apple doesn't want you to do these things, but we're free to do what we want with our purchased hardware from a legal standpoint.

  • Why doesn't Apple revoke the certificates and then provide new ones to the legitimate enterprises? Isn't that the reason Certificate Revocation Lists were invented - to stop the use of compromised certificates?
    • by guruevi ( 827432 )

      They do.

      • Are you sure? If the certificates have been revoked, why would an iPhone allow the app to be installed?
        • by guruevi ( 827432 )

          Because these things happen before Apple finds out and revokes the certificate. Apple has no involvement with Enterprise apps, they don't distribute them. Until someone complains, they don't know, these "companies" also buy massive numbers of certificates under various names, not just one, when one gets revoked, they just buy and/or use another one

  • I'd count it as a good thing that there are some cracks in the Walls of the Garden...

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...