With its enterprise developer certificate program, Apple chose convenience over security. You can guess what happened. Credit: Thinkstock When Apple launched its enterprise developer certificate program — which helps enterprises make their homegrown apps for employee use-only available through iTunes — it had to make a difficult convenience-vs.-security decision: how much hassle to put IT managers through to get their internal apps posted. It chose convenience and, well, you can guess what happened. Media reports say pirate developers used the enterprise program to improperly distribute tweaked versions of popular apps — including Spotify, Angry Birds, Pokemon Go and Minecraft — while others used the platform to distribute porn apps along with real-money gambling apps. And all the bad guys had to do was lie to Apple reps about being associated with legitimate businesses. Apple didn’t bother to investigate or otherwise verify the answers. Apple now has two ways to go: gut or severely limit its enterprise certificate program or pour in enough resources to effectively verify all answers before granting access. Any longtime Apple watchers know which route is more likely. Hint: The enterprise program aims to make it easier for companies to leverage iOS devices, but it doesn’t deliver a ton of direct revenue. Assigning talent to fix it when Apple is struggling to make its iPhone sales goals seems unlikely. Let’s drill into what happened. First, courtesy of Reuters, comes the report of the software pirates. “These pirate operations are providing modified versions of popular apps to consumers, enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue,” the Reuters story said. “Apple confirmed a media report on Wednesday that it would require two-factor authentication — using a code sent to a phone as well as a password — to log into all developer accounts by the end of this month, which could help prevent certificate misuse.” Two quick thoughts on Apple’s 2FA approach, assuming this reference is correct. First, texting a code is begging for a man-in-the-middle attack, and these pirates are well able to deliver such a move. There are far more secure 2FA options. Secondly, all this will do is verify that the person who created the account is the person who is right now trying to gain access. It doesn’t address the real issue here, which is that they were fraudulent applications initially. The story of the porn and real-money gambling apps came from TechCrunch, and it delivers far more specifics about how easy these frauds were to commit, given Apple’s ultra-convenient approach. “Developers simply have to fill out an online form and pay $299 to Apple, as detailed in this guide from Calvium. The form merely asks developers to pledge they’re building an Enterprise Certificate app for internal employee-only use, that they have the legal authority to register the business, provide a D-U-N-S business ID number and have an up to date Mac,” TechCrunch reported. “You can easily Google a business’ address details and look up their D-U-N-S ID number with a tool Apple provides. After setting up an Apple ID and agreeing to its terms of service, businesses wait one to four weeks for a phone call from Apple asking them to reconfirm they’ll only distribute apps internally and are authorized to represent their business. With just a few lies on the phone and web plus some Googleable public information, sketchy developers can get approved for an Apple Enterprise Certificate.” Apple has managed to make this process convenient from a security standpoint (which is a bad thing), but inconvenient and arduous from an IT perspective. Put more bluntly, the company made it relatively easy for crooks while forcing legitimate IT workers to jump through a lot of hoops. Steve Jobs is doing some serious rolling in his grave. Given that Apple is already having a call center representative calling to reconfirm, why not call the company whose D-U-N-S number is being used to verify that it really made the request? Apple could ask for the contact person and then make sure that everything is legitimate. If the contact person is not known, that’s a good reason to delay or even outright reject the approval. Ideally, delay it and give the applicant a chance to explain. After all, the chance that the person answering the corporate switchboard might be a temp and can’t find the employee is not so unlikely. That said, this verification effort will significantly add to the labor that Apple needs to expend on authentication, and it’s not clear if this makes fiscal sense for the company. But, Apple, if you want to enforce these rules, then truly enforce them. Making people fill out a lot of online forms and then wait a month for a phone call makes little sense if no one is bothering to verify the answers. Related content opinion A phish by any other name should still not be clicked By Evan Schuman Apr 05, 2024 6 mins Technology Industry Communications Security Industry opinion McDonald's serves up a master class in how not to explain a system outage When McDonald's in March suffered a global outage preventing it from accepting payments, it issued a lengthy statement about the incident that was vague, misleading and yet still allowed many of the technical details to be figured out. By Evan Schuman Apr 01, 2024 7 mins Mobile Payment Data Center Industry opinion Why are CIOs who anticipate the future rarely allowed to do anything about it? Wall Street’s obsession with quarterly earnings has made it extraordinarily difficult for most enterprises to spend on long-term investments, or even mid-term investments. By Evan Schuman Mar 08, 2024 5 mins IT Director IT Strategy IT Leadership opinion The food delivery driver identification dilemma Ever use one of those mobile food delivery apps — only to realize your delivery person isn't who you expected? There's a lesson here about identity, authentication, and what happens when the best laid tech plan meets human beings. By Evan Schuman Mar 01, 2024 6 mins Small and Medium Business Mobile Apps Mobile Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe