Remember how the world’s biggest social network got into trouble with Apple recently over an app called Facebook Research?
The app wasn’t designed for general use – in fact, Facebook couldn’t make it openly available to everyone because it was too snoopy to be allowed in the App Store.
Amongst other things, it peeked into some or all of the network traffic from your other apps, with the goal of improving Facebook by learning more about how people behaved online.
Keeping low-level tabs on what other apps are up to isn’t permitted in regular iPhone software, so Facebook got around these restrictions by offering the app in a limited-access version under Apple’s Enterprise Certificate programme.
That’s the system that businesses can use to write, build and digitally sign apps for their own staff without waiting for Apple to sign the app into the App Store first.
Simply put, it’s the closest thing that Apple has to Google’s “allow apps from unknown sources” option in Android, and it’s the only way, short of jailbreaking, to install software on an iPhone without going to the App Store.
Apple, to put it mildly, was not amused – companies are supposed to use the Enterprise Certificate programme to create internal apps for use by employees only.
Offering customers $20 for helping out was not enough to make them “employees”, at least in Apple’s opinion, and Facebook was forced to withdraw the Research app.
It soon turned out that Facebook weren’t the only ones stretching the meaning of “employee”, with Google’s Screenwise Meter app falling similarly foul of Apple’s guidelines.
Google paid you with gift cards rather than in regular dollars, and it pulled its app proactively rather than waiting for Apple to fire a shot across its bows, but the end result was the same: the app isn’t available any more.
Footloose and fancy free
Guess who else has been playing footloose and fancy free with Developer Certificates?
“Alternative vendors”, that’s who.
We’ve already written about how porn and gambling apps are offering off-market iPhone software using developer certificates.
Now, Reuters has identified another sector taking advatange of enterprise cover, namely software pirates.
According to Reuters, a bunch of “alternative suppliers” have been using developer certificates to sign unofficial, illegal versions of mainstream apps such as Spotify, Angry Birds, Pokemon Go and Minecraft.
Unofficial apps can be hacked to operate in ways neither Apple nor the official app creator would permit, such as removing ads, bypassing login and account restrictions, and – to put it bluntly – cheating in online games.
As Reuters notes, Apple can not only cancel certificates that have been abused, but also throw rogue developers out of the Developer Programme altogether, and there’s a fee and a waiting time to reapply.
2FA coming soon
There’s more that Apple can do, however, and it’s going to start doing it soon.
Apple will be insisting that programmers with Developer Certificates must use 2FA (two-factor authentication) as part of the responsibility that goes with the privilege.
We assume this will allow Apple much greater control over the abuse of compromised Developer Certificates – a crook who steals your password will no longer have enough information to access your account and sign apps with your certificate.
Enforcing 2FA could also make it tougher for rogue developers to fire up new accounts as their old ones get shut down.
2FA codes that are sent to your phone can be tied to the SIM, to the device or to both, making it harder to re-register for new accounts with phones that have already been busted for previous offences.
However, given that we’ve seen photos of iPhone “click farms” with thousands of devices in racks pretending to be thousands of unique, independent, genuine users, we do find ourselves wondering how much of a deterrent this will be to determined fraudsters.
Getting serious
Ironically, getting more serious about 2FA isn’t popular with everyone – an Apple customer in California is trying to kickstart a class action lawsuit claiming that Apple has “forced” him to use 2FA, and this has caused him and “millions of similarly situated consumers” to suffer “economic losses”.
And in a counter-irony that would be amusing if it didn’t paint such a dismally confused picture of the world’s relationship with cybersecurity, Google’s Nest division came under fire recently when a Nest user whose home was hacked publicly demanded a $4000 refund because Google hadn’t told him about 2FA.
For the record, neither of them received much sympathy from Naked Security readers.
Simply put, many of our readers generally seem to think that 2FA isn’t that hard; doesn’t take as much effort or cause as much trouble as its detractors claim; has a largely positive outcome for the law-abiding community; and is something that we should all be aware of by now, even if we ultimately choose not to bother with it.
What say you?
Where do you stand on 2FA?
Will Apple make a dent in rogue apps by insisting developers use 2FA, or should it leave it to the developers to make their own minds up?
dhunter
I believe that 2FA is a good intermediary step to protect significant accounts from brute force hijacking attempts. Unfortunately, 2FA will be of no help if sites with their expansive databases get hatched and our personal data stolen but that’s not really what 2FA is all about. For now, while we wait for other better/easier options to be developed, 2FA is certainly something deserving of serious consideration for users to activate on accounts with far reaching scope in their daily lives – Google, Facebook (#deletefacebook), Apple, Microsoft Twitter etc.
For me, I like the idea of the portable usb keys such as the Yubikey for 2FA. I haven’t bought one yet, as these keys are not supported everywhere, but they can be used on the big sites listed above. I don’t want to receive login codes on my cellphone where that info can be sent by rogue apps to whomever is set up to receive such data, I do not really wish to receive these 2FA codes via email since email is even more vulnerable than SMS txt messages. The software apps that run on our phones known as authentication apps by Google and others seem a better choice, but I do not particularly wish to be tied to my smartphone as I will be dumping it as soon as I drop it in the pool, to be replaced by a dumb phone – The only way to win the cellphone privacy game is not to play – there is nothing wrong with having “just a phone”. Thus an app is not a long term solution for me
So I wait and watch, waiting for these USB key thingies to mature, to be adopted far and wide like by my bank (that still uses SMS), my utility companies, cell provider and everywhere else that having my account compromised could result in some serious inconvenience and temporary loss of service.
chipped
2FA is better than a password alone. Yes it can be done better, however you should use it whenever available. Don’t wait for the perfect solution because it will never come.
2FA together with a password manager generates unique password for every site would be a very strong base to work from.
Simon McAllister
When doing anything via a public network, we must accept that security will never be 100% achievable, thus we should apply as much security as possible, keeping in mind the trade-offs (security benefits against overhead or impact to operational processes e.g. login times etc.). This, along with the data or systems being protected quantifies just how much to apply. So yes, 2FA gets my vote.
Apple, and any other vendor with a development platform that results in potential global use of the products they create should, in my view, apply the same at the very least (but quite obviously more so).
Laurence Marks
I rarely let websites hold my credit card number–I prefer to enter it every time. But on the two sites that hold my card information, I use 2FA. It has been frustrating when I wish to order something from one of those sites and I’m out of the country. It would be nice to have a system that doesn’t rely on North American cellular service.