The barrage of applications taking advantage of Apple’s enterprise certificate program continues today. Reuters reports that software distributors have been using the program to share modified versions of popular apps, such as an ad-free version of Spotify.
Ecobee HomeKit Thermostat
According to the report, software distributors including TutuApp, Panda Helper, AppValley and TweakBox have been using the enterprise certificate program to distribute modified apps.
For example, AppValley offers a version of Spotify that does not include advertisements – even on the free tier. TutuApp distributes a free version of Minecraft, which normally runs $6.99 on the App Store. Other affected apps include Pokémon GO and Angry Birds.
The distributors make money by charging $13 or more per year for subscriptions to what they calls “VIP” versions of their services, which they say are more stable than the free versions. It is impossible to know how many users buy such subscriptions, but the pirate distributors combined have more than 600,000 followers on Twitter.
Reuters says it first contacted Apple last week for statement. Shortly thereafter, many of the pirated applications were banned. A few days later, however, they reappeared through different enterprise certificates.
In its statement, Apple said that it is continuously evaluating misuse of its enterprise certificates:
“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely,” an Apple spokesperson told Reuters. “We are continuously evaluating the cases of misuse and are prepared to take immediate action.”
Facebook was first discovered to be using the enterprise certificates program to distribute its Facebook Research VPN. Google was then found to be doing something similar. On Tuesday, a TechCrunch investigation revealed a slew of porn and gambling apps being distributed through the program as well.
Earlier today, TechCrunch’s Josh Constine confirmed that Apple had removed most of the illicit applications mentioned in his investigation. At this point, however, there is little stopping the developers from offering the same app via enterprise certificates through a different developer account.
Apple announced this afternoon that it will start requiring all developer accounts to use two-factor authentication. Some have suggested could help crackdown on this abuse of the enterprise certificate program, but only time will tell.