In yet another abuse of the enterprise distribution program, security analyst Lookout has identified apps (via TechCrunch) that were pretending to be published by cell carriers in Italy and Turkmenistan. The apps were available for iPhone users to download through Safari as they were signed by an enterprise certificate. These apps used carrier branding and pretended to offer utilities for the users’ cell plans when in reality they would ask for every permission they could to track location, collect contact, photos, and more, and had the capability to listen in on users’ phone conversations.
Apps using enterprise certificates are not available through the App Store, but malicious criminals can target iOS users through Safari (perhaps with a phishing attack-esque email) and get people to download the app over the web, outside of the purview of the App Store review process.
Essentially, when an app is distributed with an enterprise certificate, there is no accountability over what the app can do. When a developer applies for an enterprise certificate, Apple makes it plain that apps should only be delivered to employees of the enterprise and not used elsewhere. However, as it stands, there is very little Apple can do to enforce this beyond the policy of advisory language.
This year, we have seen countless abuses of the enterprise system, including high-profile cases like operations at Facebook and Google. Apple revokes the certificate when it becomes aware of individual cases, but it’s clear the company does not have the overall enterprise certificate program under control. In a future software version of iOS, Apple may impose stricter requirements to tighten the security screws on the enterprise program. The company is yet to commit to any such plans however.
Certificates are often stolen or sold on, so licenses to the enterprise developer program that were once used legitimately are now being used nefariously. In the case of the app highlighted by Lookout, it appears to be linked to similar malware that existed on Android called ‘Exodus’.
Mainstream customers can protect themselves by never downloading apps from outside of the App Store. Legitimate phone carriers will never ask customers to install apps from their own websites.
FTC: We use income earning auto affiliate links. More.