Gambling, porn, and piracy on iOS: Apple’s enterprise certificate woes continue

Rival tech giants like Google and Facebook aren’t the only companies abusing Apple’s enterprise certifications to distribute unapproved apps in the Apple App Store on iOS, according to reports from Reuters and TechCrunch.

Apple’s Enterprise Developer Program is intended to facilitate distribution of apps across devices internally within corporations, governments, and other organizations. Apple explicitly forbids its use for any other purpose in its terms of service.

But the Reuters report describes the use of enterprise certificates to distribute pirated versions of popular iOS software like Minecraft, Spotify, and Pokémon Go. For example, a free version of Minecraft (which is normally a premium app) is distributed by TutuApp using the method. Another pirate distributor, AppValley, offers a version of the Spotify app with the ads that support Spotify and the music artists stripped out completely.

The distributors impersonate legitimate businesses to gain access to Apple’s enterprise certification program and tools. They also offer both free versions of their services as well as cheap annual subscriptions that are priced at a point the legitimate services from which they steal could never viably match.

Earlier this week, a TechCrunch investigation also discovered a "dozen hardcore-pornography apps and a dozen real-money gambling apps that escaped Apple's oversight." Like the pirated apps, these apps bypassed Apple's App Store, given that Apple would not have approved them otherwise.

Apple has been criticized many times in the past for the App Store's stringent app-approval policy, and those critics remain. However, others have praised Apple for cracking down on apps that violate user privacy, can be used for bullying or abuse, or spread disinformation. Though the company's track record is not perfect there, that doesn't seem to be for lack of trying.

Some competing platforms like Google Play and Android have less-stringent approvals and are more permissive still of sideloading apps that could not be distributed in the Google Play store. In this sense, the App Store and Google Play represent two competing philosophies, and those philosophies may often be deciding factors for users choosing between platforms.

Many of Apple's customers choose the platform expecting those policies to be enforced, so the company tends to move aggressively to address loopholes and other problems. And, of course, protecting Apple's ability to take a revenue cut on all app transactions is important for the company's business, as it relies more and more on services revenue (an umbrella that includes the App Store) as iPhone sales slow. We've also written before about the security ramifications about loopholes like this.

To those ends, Apple provided identical statements to both TechCrunch and Reuters on the subject of unapproved app distribution through the enterprise program:

Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.

Even when it was Google and Facebook violating Apple's policies, Apple didn't hesitate to pull certification—though it negotiated to reinstate those certifications quickly. But with so many potential abuses by so many possible actors, it looks like Apple will be playing a difficult game of whack-a-mole to enforce its policies while retaining functionality and features for legitimate and compliant enterprise customers.

As a first step in its efforts to tackle these abuses, Apple announced this week that it will require developer accounts to use two-factor authentication. We'll have to wait and see if other new actions are coming, but it seems likely.