Apple is currently dealing with a number of apps abusing its enterprise certificate program.
According to a new report, software pirates have used the technology to distribute hacked versions of many popular apps. These include the likes of Spotify, Pokémon GO, Angry Birds, Minecraft, and others. Apple originally introduced its enterprise certificates to let companies make business apps for employees, without going through the App Store.
The software distributors named and shamed by Reuters include TutuApp, Panda Helper, AppValley, and TweakBox. They have released modified versions of normally paid apps for free. In other cases, they offer versions of free apps minus the ads.
These “developers” also charge money for what they claim are “VIP” versions, which are supposedly more stable. In doing so, they are enriching themselves at the cost of Apple and the original developers. On Twitter, the pirates have a combined 600,000+ followers.
Apple reportedly has no way of tracking the real-time distribution of these certificates, or the spread of improperly modified apps on its phones. However, it can cancel certificates if it finds that they are being misused.
The challenge Apple faces
In a statement, Apple told Reuters that:
“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.”
The challenge that Apple faces is that it’s difficult to ban pirates completely. After Reuters contacted Apple for a comment last week, it banned some of the players mentioned. However, they quickly sprang back using different certificates from other developer accounts.
One possible solution is for Apple to require two-factor authentication to log into all developer accounts. This will come into effect this month, and could help crack down on this kind of enterprise certificate abuse.