Pirates have been abusing Apple’s enterprise developer program to distribute hacked versions of popular apps, reports Reuters. Versions of Spotify, Pokémon Go, Minecraft, and Angry Birds were discovered, which had been modified to block in-app advertisements and to make paid features available for free, depriving their original developers — as well as Apple itself — of revenue.
Although Apple banned several of these apps after first being told about them by Reuters, the publication reports that they were back up under different certificates “within days.” The discovery suggests that Apple is struggling to control access to its enterprise certificates, which developers can use to circumvent Apple’s strict App Store rules by saying that an app is intended for use by their employees only.
Among the pirated apps was a version of Spotify which had been modified to block the advertisements that play when you’re listening with a free subscription. Also available was a free version of Minecraft, which normally retails for $6.99 on the App Store.
Responding to the Reuters’ report, a spokesperson from Apple said, “Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely.” The company has also confirmed that it would be requiring developers to add two-factor authentication to their accounts by the end of the month.
The discovery of these apps comes just days after it was discovered that numerous porn and gambling apps were available for download for Apple devices, despite breaking Apple’s rules about app content. Each of these used an enterprise developer certificate (often registered to an entirely separate company) to allow these apps to be downloaded onto a standard un-jailbroken iPhone.
TechCrunch’s investigation revealed that it’s relatively easy to obtain the certificate required to publish such apps. All it takes is a one-off payment of $299 and some publicly available company information. Individuals with access to these developer certificates were found to be selling developers access to them on online marketplaces, resulting in multiple apps being registered to the same enterprise certificate.
The abuse of these certificates first came to light after it emerged that Facebook was using them to distribute an app to teenagers that would track their phone usage. An investigation then revealed that Google offered a similar app. Apple retaliated by temporarily revoking the certificates of both companies.