Forbidden fruit of smut, gambling iOS apps found flourishing using Apple enterprise certs
Fancy that. Days after Apple suspended Facebook and Google for abusing Apple's enterprise developer privileges, Apple has been found to be permitting dozens of dubious apps to misuse its enterprise certificates.
An enterprise certificate, part of the $299-a-year Developer Enterprise Program, allows an organisation to distribute in-house apps to employees and partners, bypassing the App Store. It isn't intended as a distribution channel for public third-party apps – so when Apple discovered Facebook was using it to distribute its own user-monitoring app, it revoked the privilege. The certificate-yank broke Facebook's in-house apps too, until it was restored within about a day. Google's enterprise cert was also nuked briefly after the web ads giant admitted it too had used the certificate to sign an external app.
Apple's own hygiene was not perfect, though. TechCrunch this week scratched around and found "a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple's oversight."
These are clearly in breach of Apple's guidelines – so how did they flourish?
The answer appears to be through lax oversight by Apple of what qualifies as a "business". So lax, developers were able to circumvent the rules using stolen credentials. Nefarious app developers could apparently use a legitimate business's unique Data Universal Numbering System (D-U-N-S) digits, which could be confirmed by telephone.
"With just a few lies on the phone and web plus some Googleable public information, sketchy developers can get approved for an Apple Enterprise Certificate," journo Josh Constine noted.
You would think the legitimate owner of the certificate would notice that their good name was being sullied by filth, but it isn't that easy. Developers can take advantage of a black market trade in "rogue" certificates that are not associated with a legitimate company.
We requested comment from Apple but had not heard back at publication time. ®
Sponsored: Becoming a Pragmatic Security Leader