Developers Break Out Of The App Store
Written by Mike James   
Tuesday, 19 February 2019

It's not so much a breakout, more a sort of bending of the rules. After Google and Facebook were shamed by Apple because they misused their enterprise developer certificates, it now appears that the practice is fairly common.

You can shout the headline "sleazy programmers install malware, porn and pirated apps on innocent iPhones" which is what other news sources have been doing but... It is so much more complicated. It is true that people have been using developer certificates to sell apps outside of the App Store, and this is a bad thing, but it's bad because the code is bad, malware and pirated, not that the action of distributing software outside of a central control is bad - how could it be?

appledev

Apple has a problem. It locks down the iPhone using public key cryptography so that only programs that are downloaded from the App Store can run. This is OK, but not everyone wants to make apps available via the App Store. Companies want to develop apps for their own use. They don't even want to submit apps to Apple to have them examined before they are placed in the App Store. An app might have so much commercial value to a company that it is mission critical.

So Apple allows companies to join the Developer Enterprise Program for $299 per year. For this you get a number of certificates, including one that lets you distribute your apps to your employees. Of course, there is no way for Apple to check who you distribute the apps to and this is the back door out of the App Store that is being exploited.

Notice that this is not a technological hack. No one has managed to forge an Apple certificate, or if they have they are keeping quiet about it. People are posing as companies and obtaining certificates and then using them for something other than internal distribution. This seems like a big hole in Apple's security and there doesn't seem to be too much that can be done other than punish anyone found crawling thought the hole.

What Apple has done is to make two-factor authentication mandatory for any developer signing in. Of course, only Apple devices can be used to get the code that Apple sends to the developer, but then what else would you expect? What good does two-factor authentication do? Not much. It proves that the developer concerned actually did sign the code that is being distributed outside of the App Store. It cannot be as easily claimed that someone stole the log in details.

A second, possibly more effective defence, is that companies applying for any sort of developer account now have to have a DUNS number. This basically means that Apple is using Dun & Bradstreet to verify that companies are who they say they are. As a more technological verification, they also now demand that you have a website and that its domain name has to be associated with the organization.

I wonder how long it will take to find ways round these two minor checks.

At the bottom of it all, Apple is trying to do the impossible - to make devices secure and to allow companies to freely access them.

More to the point, we need to look at the idea of "free access" to any Apple device. If an app is mission critical to your company do you really want to give a third party - Dun & Bradstreet or Apple - the ability to pull the plug on it? It seems to me that this is corporate madness and, as Google and Facebook found out, the license can be revoked. .

appstoreicon

More Information

The Apple Developer Program

Banner


SnapCode: A Java IDE for the Web
27/02/2024

Thanks to CheerpJ and WebAssembly you can now run a Java IDE inside your browser and local first.This is SnapCode, and while lightweight and in-browser, is to be not underestimated.



Android 15 Developer Preview Updated
25/03/2024

Google has released Android 15 Developer Preview 2 with changes including better handling of automatic language switching and updates for OpenJDK 17.


More News

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info



Last Updated ( Tuesday, 19 February 2019 )