Security & Fraud

Apple’s Enterprise Certificates Being Used By Software Pirates

Apple Certificates Used By Software Pirates

Apple has been infiltrated by software pirates who figured out a way to use digital certificates to gain access to an Apple program, which corporations use to distribute business apps, as a means of rolling out hacked versions of popular apps.

According to a report in Reuters, the software pirates – including TutuApp, Panda Helper, AppValley and TweakBox – are using the so-called enterprise developer certificates to provide versions of popular apps that don’t require consumers to view ads, pay fees or follow the rules. As the report noted, that is hurting Apple and the app maker’s revenue streams. The report noted that hacked versions of Spotify, Angry Birds, Pokémon Go, Minecraft and other apps are showing up in the App Store.

“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our developer program completely,” an Apple spokesperson told Reuters. “We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

Shortly after Apple learned of the software pirates’ action, some were banned from the system – but just days later, Reuters spotted them using different certificates to offer the hacked apps again. While security experts said there is nothing that can prevent the companies from opening new accounts and doing it again, Apple is now requiring two-factor authentication, in which a user must provide both a password and a code that is sent to their phone to get access to developer accounts.

While Spotify didn’t comment on the Reuters report, it did say in February that new terms of service are aimed at users who create and make available tools that block advertisers.

The misuse of enterprise developer certificates by hackers has long been a concern of security experts, as they are at the heart of Apple’s program for corporate apps and let consumers install apps without Apple’s knowledge. The certificates are a digital key that communicates to the iPhone that software installed online is trusted. In January, Apple banned Facebook and Alphabet for a short period of time after using the certificates to distribute apps that gathered data, noted the report.



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.