More iOS apps discovered abusing certificates to bypass App Store

Ewdison Then - Feb 12, 2019, 8:13 pm CST
0
More iOS apps discovered abusing certificates to bypass App Store

The investigation that revealed Facebook’s and Google’s misuse of their Enterprise Certificates have opened up a can of worms on both sides. On the one hand, it reveals the extent companies will go to in order to collect user data, even paying them in the process. On the other hand, it has also revealed a chink in Apple’s armor that has let apps be installed without its usual screening process. Now it seems that there are even more apps that have abused those Enterprise Certificates to get past scrutiny, including vice apps that would have never been allowed on the App Store otherwise.

The reason why it’s such a big deal when adult-content and gambling apps are reported to be available on iPhones is that it’s almost impossible for that to happen in the first place. While it’s too easy to sideload such apps on Android, iOS’s tight security and screening process would normally require iPhones and iPads to be jailbroken first. It turns out, however, that app developers have a dirty secret that Apple is only discovering now.

Enterprise certificates are granted to companies in order to be able to internally test iOS apps, which means being able to install those apps without having to go through the usual App Store review process. Facebook and Google have misused those, intentionally or otherwise, to install “research” apps that collect user data. TechCrunch now reports that there are other ways to get hold of such a certificate and, this time, the blame lies on Apple’s side.

Apple’s enterprise program is apparently lax enough to let even dubious companies join with little background checks. For $299, a few lies, and a waiting time of up to four weeks, anyone can get an Enterprise Certificate and use that to install apps that violate Apple’s policies.

These apps still have to operate within the technical limits imposed by iOS, but, as Facebook’s Research app has proven, it’s not that hard to pilfer data behind users’ backs. Apple’s zeal in shutting down Facebook’s and Google’s operations becomes almost comical in light of this new revelation and it will have to work quickly to reinstate its image.


Must Read Bits & Bytes