After Facebook and Google had their Enterprise Certificates revoked by Apple, a new investigation by TechCrunch has revealed more companies exploiting the program for uses outside of the terms and conditions. Specifically, TC verified over two dozen gambling and porn apps that use the Enterprise Certificates to distribute their apps to non-employees, with thousands more likely doing the same. The publication also discovered just how easy it is to gain access to an Enterprise Certificate.
While the onus for using an Apple Enterprise Certificate properly falls on the company using it, it’s clear that Apple has work to do with improving how it enforces its policies. TC’s investigation into the matter found a dozen porn apps and a dozen gambling apps that have been distributed outside of the App Store and breaking the Enterprise Certificate policies.
A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple’s oversight. The developers passed Apple’s weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino’s traditional safeguards designed to keep iOS family friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.
While enforcing policies is important, TC notes just how easy it is to (falsely) obtain an Enterprise Certificate in the first place.
Developers simply have to fill out an online form and pay $299 to Apple, as detailed in this guide from Calvium. The form merely asks developers to pledge they’re building an Enterprise Certificate app for internal employee-only use, that they have the legal authority to register the business, provide a D-U-N-S business ID number, and have an up to date Mac.
While TC was able to specially verify the two dozen porn and gambling sites by downloading them via the Enterprise Certificate program, it also discovered thousands of websites offering the same.
TechCrunch found thousands of sites offering downloads of “sideloaded” Enterprise apps, and investigating just a sample uncovered numerous abuses.
The report notes that Apple has taken action on some of the apps it discovered, but many of them are still available to download outside of the App Store.
With Apple’s commitment to security and user privacy, this Enterprise Certificate abuse is a very clear example of how it needs to take a more intentional approach with enforcing its policies.
As a user, be sure to steer clear of any companies that request you download their apps outside of the App Store unless you’re certain it’s a legitimate use of Apple’s Enterprise Certificate program.