Remember how the world’s biggest social network got into trouble with Apple recently over an app called Facebook Research?
The app wasn’t designed for general use – in fact, Facebook couldn’t make it openly available to everyone because it was too snoopy to be allowed in the App Store.
Amongst other things, it peeked into some or all of the network traffic from your other apps, with the goal of improving Facebook by learning more about how people behaved online.
Keeping low-level tabs on what other apps are up to isn’t permitted in regular iPhone software, so Facebook got around these restrictions by offering the app in a limited-access version under Apple’s Enterprise Certificate programme.
That’s the system that businesses can use to write, build and digitally sign apps for their own staff without waiting for Apple to sign the app into the App Store first.
Simply put, it’s the closest thing that Apple has to Google’s “allow apps from unknown sources” option in Android, and it’s the only way, short of jailbreaking, to install software on an iPhone without going to the App Store.
Apple, to put it mildly, was not amused – companies are supposed to use the Enterprise Certificate programme to create internal apps for use by employees only.
Offering customers $20 for helping out was not enough to make them “employees”, at least in Apple’s opinion, and Facebook was forced to withdraw the Research app.
It soon turned out that Facebook weren’t the only ones stretching the meaning of “employee”, with Google’s Screenwise Meter app falling similarly foul of Apple’s guidelines.
Google paid you with gift cards rather than in regular dollars, and it pulled its app proactively rather than waiting for Apple to fire a shot across its bows, but the end result was the same: the app isn’t available any more.
Footloose and fancy free
Guess who else has been playing footloose and fancy free with Developer Certificates?
“Alternative vendors”, that’s who.
We’ve already written about how porn and gambling apps are offering off-market iPhone software using developer certificates.
Now, Reuters has identified another sector taking advatange of enterprise cover, namely software pirates.
According to Reuters, a bunch of “alternative suppliers” have been using developer certificates to sign unofficial, illegal versions of mainstream apps such as Spotify, Angry Birds, Pokemon Go and Minecraft.
Unofficial apps can be hacked to operate in ways neither Apple nor the official app creator would permit, such as removing ads, bypassing login and account restrictions, and – to put it bluntly – cheating in online games.
As Reuters notes, Apple can not only cancel certificates that have been abused, but also throw rogue developers out of the Developer Programme altogether, and there’s a fee and a waiting time to reapply.
2FA coming soon
There’s more that Apple can do, however, and it’s going to start doing it soon.
Apple will be insisting that programmers with Developer Certificates must use 2FA (two-factor authentication) as part of the responsibility that goes with the privilege.
We assume this will allow Apple much greater control over the abuse of compromised Developer Certificates – a crook who steals your password will no longer have enough information to access your account and sign apps with your certificate.
Enforcing 2FA could also make it tougher for rogue developers to fire up new accounts as their old ones get shut down.
2FA codes that are sent to your phone can be tied to the SIM, to the device or to both, making it harder to re-register for new accounts with phones that have already been busted for previous offences.
However, given that we’ve seen photos of iPhone “click farms” with thousands of devices in racks pretending to be thousands of unique, independent, genuine users, we do find ourselves wondering how much of a deterrent this will be to determined fraudsters.
Getting serious
Ironically, getting more serious about 2FA isn’t popular with everyone – an Apple customer in California is trying to kickstart a class action lawsuit claiming that Apple has “forced” him to use 2FA, and this has caused him and “millions of similarly situated consumers” to suffer “economic losses”.
And in a counter-irony that would be amusing if it didn’t paint such a dismally confused picture of the world’s relationship with cybersecurity, Google’s Nest division came under fire recently when a Nest user whose home was hacked publicly demanded a $4000 refund because Google hadn’t told him about 2FA.
For the record, neither of them received much sympathy from Naked Security readers.
Simply put, many of our readers generally seem to think that 2FA isn’t that hard; doesn’t take as much effort or cause as much trouble as its detractors claim; has a largely positive outcome for the law-abiding community; and is something that we should all be aware of by now, even if we ultimately choose not to bother with it.
What say you?
Where do you stand on 2FA?
Will Apple make a dent in rogue apps by insisting developers use 2FA, or should it leave it to the developers to make their own minds up?