Multiple media outlets have reported that unauthorized online gambling and other adult-oriented apps have been taking advantage of Apple’s Enterprise Certificate program to bypass App Store safeguards designed to prevent those types of apps from being distributed.
The findings were first reported by TechCrunch, which also named-and-shamed more than a dozen real-money gambling apps that managed to escape Apple’s oversight and flaunt their wares on the App Store’s family-friendly platform.
According to TechCrunch, “the developers passed Apple’s weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino’s traditional safeguards designed to keep iOS family-friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.”
Naked Security Sophos noted that Apple did not explain how the apps got past its vetting to enter the Enterprise Certificate app program. However, TechCrunch explains in detail how developers could get around Apple’s lax standards for accepting businesses into its program.
Developers can fill out a form online and then pay $299 to Apple. The firm asks them to guarantee that that they are building the Enterprise Certificate app for their internal-employee use only and that they have the legal authority to register the business.
Finally, they need to provide a D-U-N-S business identity number (easy enough to nab a legitimate business’ number through a simple Google search).
The developers then have their apps certified through a simple phone call from Apple that they are part of Apple’s Enterprise program and this gets them side loaded onto iOS without the need to go through the App Store.
Following TechCrunch’s report regarding the mobile betting apps, Apple issued a statement explaining that “developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.”
TechCrunch reports that Apple has already disabled some of the apps, but many remain operational. The site recommends that “given the number of policy-violating apps that are being distributed to non-employees using registrations for businesses unrelated to their apps, it’s clear that Apple needs to tighten the oversight on the Enterprise Certificate program”.
Gambling Apps Outed by TechCrunch
This is the list of apps that were found to be in possession of Apple Enterprise Certification. In the chart below, you’ll find the app name, the certificate holder and the certificate holder business type. In many cases, you’ll see that the certificate holder doesn’t have any connection to the gambling industry at all.
In fact, you’ll see in the case of Dragon Gaming, for example, the certificate holder is in fact a US based gravel company. These are called “rogue certificates” because they aren’t actually associated with the real certificate holder.
The gist of the con is that groups are able to gain control of Enterprise Certificates and then sell them on (mostly Asian) marketplaces. The result is that sometimes more than 10 apps are signed with the same Enterprise Certificate. You can see that this was the case with Mohajer International and Sungate Technologies below.
|App Name||Certificate Holder||Certificate Holder Business Type|
|RD POKER||Mohajer International Communications||US software developer|
|River Poker||Mohajer International Communications||US software developer|
|P8 Poker, 1SGames – 4 different websites||Lucky8 Technology Inc||Gambling|
|Live22||Lucky8 Technology Inc||Gambling|
|Dragon Gaming||CSL-Loma||US gravel company|
|Poker 88||Sungate Technologies Co Ltd.||Taiwanese manufacturer|
|Naga Poker||Sungate Technologies Co Ltd.||Taiwanese manufacturer|
|SSS Poker||Sungate Technologies Co Ltd.||Taiwanese manufacturer|
|Texas Poker/IDN Poker – 2 websites||Sungate Technologies Co Ltd.||Taiwanese manufacturer|
|PKV Games – 2 websites
|Asianlivetech software services company||Vietnamese software developer|
Apple’s Turn in the Hot Seat
If Facebook CEO Mark Zuckerberg got a chuckle out of Apple’s latest misfortune, it would be hard to blame him. Last year, Apple CEO Tim Cook criticized Facebook for allowing Cambridge Analytica to abuse the Facebook platform in order to improperly acquire data from users. When asked what he would do in Zuckerberg’s position, Tim Cook said he “wouldn’t be in this situation.”
This week’s news comes on the heels of revelations just last month that Apple had disabled the internal apps used by employees of Google and Facebook for abusing the Enterprise Certificate program to distribute public apps designed to mine users’ data.
In that scandal, Apple caught Google distributing the “Screenwise Meter” app and Facebook distributing the “Facebook Research” against App Store rules. Both apps were designed specifically to collect user data, which violates App Store rules.
Although Google and Facebook disabled the apps that used the Enterprise Certificate program, Apple initially opted to revoke their certificates entirely.
Google played down the matter, with a spokesperson saying: “We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon”.
It also issued a humble explanation, saying “The Screenwise Meter iOS app should not have operated under Apple’s developer Enterprise program – this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their date in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.”
Google and Facebook were both able to convince Apple to restore their internal apps, but more oversight can be expected moving forward. The fact that Facebook and Google managed to scoot around Apple’s rules in order to gather data led to Apple cracking down on anyone circumventing its rules – and to the discovery of the unauthorized gambling apps.