SAN FRANCISCO (Reuters) – Software pirates hijacked technology, developed by Apple Inc. to distribute hacked versions of Spotify, Angry Birds, Pokemon, Minecraft and other popular apps on the iphone, Reuters has found.
A 3D printed Apple logo is seen in front of a cyber-code in this image is 22 March 2016. REUTERS/dado Ruvic/Illustration
Pirated software distributors such as TutuApp, Panda Helper, AppValley and TweakBox have found ways to make the use of digital certificates to gain access to a program that Apple introduced to allow companies to distribute business apps to their employees without the intervention of Apple’s tightly controlled App Store.
With the help of the so-called enterprise and developer certificates, these pirate activities are the supply of custom versions of popular apps for consumers, allowing them to stream music without ads and work around costs and rules in games, depriving Apple’s legitimate app makers revenue.
By doing this, the pirate app are the distributors of violating the rules of the Apple developer programs, which only allow apps to be distributed to the public by means of the App Store. Download of the custom versions is inconsistent with the terms and conditions of service of nearly all the major apps.
TutuApp, Panda Helper, AppValley and TweakBox not respond to multiple requests for comment.
Apple has no way of tracking the real-time distribution of these certificates, or the dissemination of incorrect custom apps on the phones, but it may cancel the certificates if it finds abuse.
“Developers that abuse of our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and have their certificates terminated and, if applicable, they will be removed from our Developer Program is full”, an Apple spokesperson told Reuters. “We are constantly evaluating the cases of abuse and be prepared to take immediate action.”
After Reuters initially contacted Apple for comment last week, some of the pirates were banished from the system, but within a few days they were using different certificates and were operational again.
“There is nothing stopping these companies from doing this again from a different team, a different developer account”, said Amine Hambaba, head of the security software company Security.
Apple confirmed that the media report on Wednesday that it would need two-factor authentication using a code sent to a phone and a password in order to log in on all developer accounts at the end of this month, which can help prevent certificate abuse.
Big app makers Spotify Technology SA, Rovio Entertainment Oyj and Niantic Inc started to fight back.
Spotify declined to comment on the issue of the modified apps, but the streaming music provider said earlier this month that the new conditions of service would crack down on users that “the making or distribution of tools designed to block ads” on its service.
Rovio, the maker of Angry Birds games for mobile, said he is actively working with partners to tackle infringement “in the benefit of both our player of the community and Rovio as a company.”
Niantic, which Pokemon Goes, said that the players who use illegal apps that make it possible for cheating on her game are regularly banned for violating the terms of service. Microsoft Corp, owner of the creative building game Minecraft, declined to comment.
It is unclear how much revenue the pirate distributors in shifting away from Apple and legitimate app makers.
TutuApp offers a free version of Minecraft, which costs $6.99 in Apple’s App Store. AppValley offers a version of Spotify is a free streaming music service with the ads removed.
The distributors earn money by charging $13 or more per year for a subscription for what it calls “VIP” versions of their services, which they say are more stable than the free versions. It is impossible to know how many users buy such subscriptions, but the pirate distributors together have more than 600,000 followers on Twitter.
Security researchers have long warned that the abuse of enterprise and developer certificates, which act as digital keys tell that the iPhone is a piece of software downloaded from the internet can be trusted and opened. They are the center of Apple’s program for corporate apps and consumers to help in installing apps on the iphone without Apple’s knowledge.
Apple last month briefly banned Facebook Inc. and Alphabet, Inc. from the use of enterprise certificates after they used them to distribute, collecting data of apps for consumers.
The distributors of illegal apps, seen by Reuters, use of certificates that have been obtained in the name of legitimate companies, but it is not clear how. A number of pirates have impersonated a subsidiary of China Mobile Ltd. China Mobile has not responded to requests for comment.
A man holds a laptop computer as a cyber-code is projected on him in this illustration photo taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration
Tech news website TechCrunch earlier this week reported that the certificate abuse also enabled the distribution of apps for pornography and gambling, both of which are prohibited from the App Store.
Since the App Store debuted in 2008, Apple has tried to paint a picture of the iPhone more secure than competing Android devices, because Apple checks and approves all apps distributed on the devices.
Early on, hackers “jailbroke” iPhones by customizing their software to evade Apple’s controls, but that process will void the iPhone’s warranty, and scares a lot of casual users. The abuse of the company certificates seen by Reuters does not depend on jailbreak and can be used on unmodified iPhones.
Reporting by Stephen Nellis and Paresh Dave in San Francisco; Editing by Greg Mitchell and Bill Rigby