Apple’s easily abused Enterprise Certificate program isn’t just enabling snoopy Facebook and Google apps. It’s also being exploited by at least a dozen hardcore porn apps and a dozen gambling apps.
Last week, Facebook’s Research app – that paid people, including teens, to install a Virtual Private Network (VPN) app that planted a root certificate on their phones to get access to traffic from other apps – got the boot from Apple. The Research app was created under Apple’s Enterprise Certificate program, a way of creating non-App Store apps that are used for “specific business purposes” and “only for use by your employees” …not by consumers whose data Facebook was sucking up.
Within hours, Google found itself apologizing for doing something similar.
Now, it’s apparent how easy it is to use enterprise certificates to avoid the App Store’s content policies prohibiting apps that show “explicit descriptions or displays of sexual organs or activities intended to stimulate erotic rather than aesthetic or emotional feelings.”
According to Tech Crunch, the developers behind the gambling and porn apps have either passed what it calls Apple’s “weak” Enterprise Certificate screening process or piggybacked onto a legitimate approval.
Apple was swift to react when Tech Crunch broke the news about Facebook’s and Google’s “clear breach” of its certificate policies. After briefly revoking the companies’ certificates (for all apps, including those that were, per Apple’s policy, used by employees), Apple has over the past few days gone on a bit of an app-disabling spree. Some of the dozens of porn and gambling apps that Tech Crunch initially found have vanished in the process.
As of Tuesday, still-functioning porn apps included Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow and AVBobo, and the gambling apps still available included RD Poker and RiverPoker. As of Wednesday, Banana Video, for one, was still hanging in there.
How ‘iPorn’ et al. get enterprise certificates
All developers have to do to get an enterprise certificate is to fill out an online form, fork over $299, hand over an easily found D-U-N-S business ID number (Apple provides a tool to look it up) and business address, and use an up-to-date Mac. Tech Crunch’s Josh Constine even found these step-by-step directions on how to get an Apple enterprise app developer license.
Then, the developers sit back and wait for a call from Apple. It takes one to four weeks. The last step: lie to the Apple rep about plans to only distribute the apps internally.
Often, part of the ruse is for these violative apps to hide behind company names that obscure their real purpose: for example, Tech Crunch found such business names as Interprener, Mohajer International Communications, Sungate and AsianLiveTech. Constine says that he also came across what appeared to be “forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses.” From his report:
Dragon Gaming was registered to U.S. gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet & Furniture Co.
Apple will send the apps – and maybe their devs – packing
Apple wouldn’t explain how these apps are getting past its vetting to get into the Enterprise Certificate app program. Nor would it discuss whether it will change how it deals with its enterprise program, including whether it will in the future follow up to see if apps that get in are, or remain, compliant, or if it plans to change its admission process. It did, though, give Tech Crunch a statement about its plans to shut down such apps and potentially to ban the developers from building iOS products:
Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.