Software pirates use Apple technology to put hacked apps on iPhones

SAN FRANCISCO (Reuters) – Software pirates have hijacked technology designed by Apple Inc to distribute hacked versions of Spotify, Angry Birds, Pokemon Go, Minecraft and other popular iPhone apps, Reuters has found.

Illegal software distributors such as TutuApp, Panda Helper, AppValley and TweakBox have found ways to use digital certificates to gain access to a program Apple introduced to allow companies to distribute business apps to their employees without going through Apple’s tightly controlled App Store.

Using so-called corporate developer certificates, these pirate operations provide modified versions of popular apps to consumers, enabling them to stream music without ads and to bypass in-game taxes and regulations, depriving Apple and legitimate app makers of revenue.

By doing so, the pirate app distributors violate the rules of Apple’s developer programs, which only allow apps to be distributed to the public through the App Store. Downloading modified versions violates the terms of service of almost all major apps.

TutuApp, Panda Helper, AppValley and TweakBox did not respond to multiple requests for comment.

Apple has no way of tracking the real-time distribution of these certificates, or the spread of improperly modified apps on its phones, but they can revoke the certificates if they find abuse.

“Developers who abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated and, if appropriate, removed from our developer program entirely,” an Apple spokesperson told Reuters. “We are continuously reviewing the cases of abuse and are prepared to take immediate action.”

After Reuters first contacted Apple for comment last week, some of the pirates were banned from the system, but within days they were using different certificates and were back up and running.

“There is nothing to prevent these companies from doing this again from another team, another developer account,” said Amine Hambaba, head of security at software firm Shape Security.

Apple confirmed a media report Wednesday that it would require two-factor authentication — using a code sent to a phone as well as a password — to log into all developer accounts by the end of this month, which could help prevent certificate misuse.

Major app makers Spotify Technology SA, Rovio Entertainment Oyj and Niantic Inc have started to fight back.

Spotify declined to comment on the issue of modified apps, but the streaming music provider said earlier this month that the new terms of service would crack down on users who “create or distribute tools designed to block ads” on the service.

Rovio, the maker of Angry Birds mobile games, said it is actively working with partners to address breaches “for the benefit of both our player community and Rovio as a business.”

Niantic, which makes Pokemon Go, said players who use pirated apps that make it possible to cheat the game are regularly banned for violating its terms of service. Microsoft Corp, which owns the creative building game Minecraft, declined to comment.

SIPHONING OF INCOME

It is unclear how much revenue the pirate distributors take away from Apple and legitimate app makers.

TutuApp offers a free version of Minecraft, which costs $6.99 in Apple’s App Store. AppValley offers a version of Spotify’s free streaming music service with the ads removed.

The distributors make money by charging $13 or more per year for subscriptions to what they call “VIP” versions of their services, which they say are more stable than the free versions. It is impossible to know how many users buy such subscriptions, but the pirate distributors have a total of more than 600,000 followers on Twitter.

Security researchers have long warned about the misuse of corporate developer certificates, which act as digital keys that tell an iPhone that software downloaded from the Internet can be trusted and opened. They are the centerpiece of Apple’s enterprise apps program and enable consumers to install apps on iPhones without Apple’s knowledge.

Apple last month briefly banned Facebook Inc and Alphabet Inc from using corporate certificates after they used them to distribute data-harvesting apps to consumers.

The distributors of pirated apps seen by Reuters use certificates obtained in the name of legitimate businesses, although it is unclear how. Several pirates have posed as a subsidiary of China Mobile Ltd. China Mobile did not respond to requests for comment.

Tech news site TechCrunch reported earlier this week that misuse of certificates also enabled the distribution of pornography and gambling apps, both of which are banned from the App Store.

Since the App Store debuted in 2008, Apple has tried to portray the iPhone as more secure than rival Android devices because Apple reviews and approves all apps distributed to the devices.

Early on, hackers “jailbroken” iPhones by modifying their software to evade Apple’s controls, but that process voided the iPhone’s warranty and scared off many casual users. The exploit of the corporate certificates seen by Reuters does not rely on jailbreaking and can be used on unmodified iPhones.

(This version of the story was re-filed to replace “it” with “about” in paragraph 19)