|Developers Break Out Of The App Store|
|Written by Mike James|
|Tuesday, 19 February 2019|
It's not so much a breakout, more a sort of bending of the rules. After Google and Facebook were shamed by Apple because they misused their enterprise developer certificates, it now appears that the practice is fairly common.
You can shout the headline "sleazy programmers install malware, porn and pirated apps on innocent iPhones" which is what other news sources have been doing but... It is so much more complicated. It is true that people have been using developer certificates to sell apps outside of the App Store, and this is a bad thing, but it's bad because the code is bad, malware and pirated, not that the action of distributing software outside of a central control is bad - how could it be?
Apple has a problem. It locks down the iPhone using public key cryptography so that only programs that are downloaded from the App Store can run. This is OK, but not everyone wants to make apps available via the App Store. Companies want to develop apps for their own use. They don't even want to submit apps to Apple to have them examined before they are placed in the App Store. An app might have so much commercial value to a company that it is mission critical.
So Apple allows companies to join the Developer Enterprise Program for $299 per year. For this you get a number of certificates, including one that lets you distribute your apps to your employees. Of course, there is no way for Apple to check who you distribute the apps to and this is the back door out of the App Store that is being exploited.
Notice that this is not a technological hack. No one has managed to forge an Apple certificate, or if they have they are keeping quiet about it. People are posing as companies and obtaining certificates and then using them for something other than internal distribution. This seems like a big hole in Apple's security and there doesn't seem to be too much that can be done other than punish anyone found crawling thought the hole.
What Apple has done is to make two-factor authentication mandatory for any developer signing in. Of course, only Apple devices can be used to get the code that Apple sends to the developer, but then what else would you expect? What good does two-factor authentication do? Not much. It proves that the developer concerned actually did sign the code that is being distributed outside of the App Store. It cannot be as easily claimed that someone stole the log in details.
A second, possibly more effective defence, is that companies applying for any sort of developer account now have to have a DUNS number. This basically means that Apple is using Dun & Bradstreet to verify that companies are who they say they are. As a more technological verification, they also now demand that you have a website and that its domain name has to be associated with the organization.
I wonder how long it will take to find ways round these two minor checks.
At the bottom of it all, Apple is trying to do the impossible - to make devices secure and to allow companies to freely access them.
More to the point, we need to look at the idea of "free access" to any Apple device. If an app is mission critical to your company do you really want to give a third party - Dun & Bradstreet or Apple - the ability to pull the plug on it? It seems to me that this is corporate madness and, as Google and Facebook found out, the license can be revoked. .
Fear and Loathing In The App Store
or email your comment to: firstname.lastname@example.org
|Last Updated ( Tuesday, 19 February 2019 )|