Misuse of enterprise and developer certificates

From The iPhone Wiki
Revision as of 17:37, 8 April 2015 by Britta (talk | contribs) (more examples)
Jump to: navigation, search

There is some distribution of apps outside the App Store using provisioning profiles and enterprise certificates, which allows those apps to be installed on non-jailbroken iOS devices. This violates Apple's developer agreements.

Some of them used an expired provisioning profile that required the user to set the device's time back to a certain date before installing the app (the "date trick"). The ability to use expired profiles like that was fixed with iOS 8.1.

There is speculation that these misused enterprise certificates sometimes come from companies that got the certificates from Apple for a seemingly-legitimate purpose, then mysteriously "went out of business" and started up again using those enterprise certificates for shadier purposes.

It's not known how often iOS checks to see whether an enterprise certificate has been revoked. It's possible that iOS doesn't check very often.

Related, there are also people who sell access to normal iOS developer certificates, which allow you to self-sign apps to install them on non-jailbroken iOS devices, meant for developers working on apps. These certificates cost $99/year from Apple, but each certificate can be associated with 100 devices, so people sometimes sell some of those "UDID slots".

Examples

  • iOSEmulatorSpot, JBWithoutJB, and NoJailbreakApps redistribute various apps developed by other people, mostly without permission.
  • Some piracy sites and tools distribute cracked App Store apps that have been re-signed using developer certificates.

Zeusmos (January 2013)

"New services bypass Apple DRM to allow pirated iOS app installs without jailbreaking on iPhone, iPad" (TheNextWeb, January 2013): "It’s unclear exactly how Zeusmos achieves its goal, but judging from the pricing and the correlation between UDIDRegistrations, it appears to utilize a developer licensing certificate to install ‘cracked’ apps which have had their DRM (copy protection) stripped."

KuaiYong (April 2013)

"When Criminals Exploit Apple's Own App Distribution System, What Hope Is There Of Stamping Out Piracy?" (Forbes, April 2013): "Remarkably, the site is powered by Apple’s own enterprise app distribution system, designed to allow large organizations to provide internal apps to staff. What KuaiYong has done is buy one license and then distribute apps to its customers on the pretext that they’re the company’s own staff."

"Chinese website allows pirating of iOS apps, no jailbreaking required" (Examiner, April 2013): "[Kuaiyong] uses Apple's own enterprise app deployment technology."

GBA4iOS (July 2013 and February 2014)

"The Biggest Beta Test in iOS History" (Riley Testut, August 2013): "As you can probably guess, MacBuildServer was using the Enterprise Distribution method to allow installation on non-jailbroken devices. Because GBA4iOS was open-sourced on Github, MacBuildServer was able to download a copy of the code to its servers, compile it into an app, and then distribute it under their own Enterprise Certificate...Apple did what it could to stop this: they revoked MacBuildSever’s enterprise certificate. While it initially seemed that this meant no more downloads of GBA4iOS, it has since been discovered that setting an iOS’ device date to before July 16 (the day Apple revoked the certificate) allows users to download the app again, and after the download they are free to set the date back to the current date. Unfortunately, this is far from a permanent solution, as once in a while iOS checks to see whether the certificate is valid, and if it finds it isn’t, GBA4iOS will no longer open, forcing the user to set their device’s date back again."

"GBA4iOS Is Dead. Long Live GBA4iOS" (Riley Testut, October 2014): "Sure enough, less than thirty minutes (!!) after we released GBA4iOS 2.0, Apple revoked our new certificate once again, but all that did was force people to set the date back to install the app; an inconvenience for sure, but far easier than jailbreaking the device. We’ve continued to update the app since, and it’s survived several iOS updates since then – such as 7.1 and 8.0 – none of which have prevented the Date Trick from working. Of course, that ends with iOS 8.1 when it is released later this month."

Pangu (June 2014) and Pangu 8 (October 2014)

Pangu and Pangu8 use an expired enterprise certificate to help inject the jailbreak, which is removed after the jailbreak is complete.

"iOS 7.1.1 jailbreak uses expired enterprise certificate loophole" (iDownloadBlog, June 2014): "According to his tweets, MuscleNerd says that the most unique part of the Pangu jailbreak is that it uses an expired enterprise certificate as an injection vector. He adds that enterprise certificates are something that have been out of bounds for the iPhone Dev Team, due to legal reasons, but he is glad that this method was used rather than the Pangu team burning through something more native and powerful."

"Jailbreak Should not Tolerate Regional Discrimination" (Pangu Team, March 2015): "In Pangu 7 and Pangu 8, we leveraged expired enterprise certificates to initial the jailbreaking process. We are very glad that some of jailbreak fans donated their own expired enterprise certificates to us. On the other hand, an enterprise certificate only costs a few hundreds dollars . We do not see any reason to steal an enterprise certificate."

Popcorn Time (April 2015)

"Popcorn Time releases iOS app tomorrow, no jailbreak needed" (TorrentFreak, April 7, 2015): "'All a user will need to do to get Popcorn Time on a non jailbroken iOS device is to download the ‘iOS installer’ to his desktop computer, connect his iOS device to the computer with a USB cable, and then just follow simple instructions that will download the app on the iOS device.'"

"How Popcorn Time’s Piracy App Is Sneaking Onto iPhones" (Wired, April 8, 2015): "But the iOS Installer developer does hint that its workaround exploits 'the ability Apple gives to enterprises to install apps on their workers devices.' To those familiar with Apple’s security measures, that sounds like Popcorn Time is using Apple’s iOS Developer Enterprise Program...The Popcorn-Time.se developer confirmed in an email that the team is in fact using revoked or expired enterprise certificates for the installation, though it’s not exactly clear how merely putting the phone into airplane mode can trick it into accepting those old and invalid certificates."