How Apple’s enterprise app program became the new Wild West of mobile apps

Photo by Amelia Holowaty Krales / The Verge

Apple’s iOS platform has a seedy underbelly that, for years, has been lurking largely unseen, letting both app makers and iPhone owners bypass the App Store’s restrictions to load pirated games, media, and all manner of software that Apple forbids. The most staggering part of this illicit app underworld? Apple is responsible.

The company creates and distributes a suite of developer tools for an annual fee of just a few hundred dollars that allows sketchy apps onto the iPhone. While the result isn’t quite as robust as the jailbreaking community that emerged in the iPhone’s earliest years, it’s abetting perhaps an even murkier landscape of apps with uncertain security, privacy permissions, and potentially ulterior motives when it comes to making money.

Last month, TechCrunch reported that Facebook was distributing a data-siphoning VPN app to adults and teens that gave it near-complete access to their iPhone data in exchange for a mere $20 a month in gift cards. Facebook was able to do what it did by using an Apple-made developer tool that was explicitly designed to let apps bypass the App Store, and that, until now, it has largely escaped scrutiny.

The Apple Developer Enterprise Program, as it’s called, is a platform similar to the company’s standard app development one that’s designed specifically for companies with hundreds to thousands of employees. By paying $300 a year for a certificate license, you’re able to distribute apps that have not undergone App Store review to many thousands of people. Because Apple has no hand in reviewing the software or checking which permissions it might be tapping into, these apps have the potential to violate iOS policies on user privacy, adult content, copyright infringement, and other areas of questionable legality, like online gambling.

Historically, the program is used for testing and internal distribution of apps before they’re sent to the App Store for official review. Google, Facebook, and countless other app makers all use the program to test internal versions of iOS software, like Instagram and Google Maps, before those versions become official updates, a process many companies say is a necessary part of large-scale development to avoid bugs, security flaws, and to improve overall quality of the software. Apple advertises it as a way for companies to distribute apps that have a purpose only for employees, too. For instance, Google has one to manage its employee shuttles to and from San Francisco and its Mountain View headquarters, as do many other large tech companies in the Bay Area.

But, as previous reports have found and according to multiple employees of large tech companies who spoke to The Verge, Apple’s enterprise program contains few oversight protections that would prevent developers from abusing their certificates. It’s not just Facebook and Google’s egregious VPN apps or the occasional flagrant TV and movie torrent software, either. A trail of virtual breadcrumbs has since led reporters to unearth thousands of prohibited iOS apps, from gambling and porn software to pirated games and ad-free versions of Spotify. And it now looks as if an entire underground world of secretly sideloaded apps that violate Apple’s terms are available direct to consumers — if you know where to look.

As reported by Reuters last week, numerous companies operate illicit app stores that utilize the enterprise program to sidestep Apple’s screening processes. Not only must the storefronts be sideloaded, but nearly every piece of software available in those storefronts must also be independently sideloaded, revealing confusing webs of what appear to be fake companies with access to Apple’s enterprise certificates. As TechCrunch reported earlier this week with regard to gambling and porn apps, some of these certificates are forged or stolen, with registrations leading to legitimate companies, like the US office of a Canadian sand and gravel company in one case, that seem to have no reason to be in the business of knock-off app development. Others seem to be entirely invented entities like “Century Securities Co., Ltd.” and “BUTA, OOO.”

One such marketplace, TutuApp, is a Hong Kong-based purveyor of ripped-off Nintendo intellectual property in the form of such illegitimate games as Pokémon New World and an app plainly called Pokémon remake. It also offers pirated versions of mobile Minecraft, Clash Royale, the aforementioned ad-free Spotify, and what appear to be knock-off games spanning franchises like Yu-Gi-Oh, The Simpsons, and numerous other well-known US and Japanese gaming and entertainment brands.

In some cases, these apps are plastered with ads. In one particularly fascinating example, an ad for the retail version of Minecraft is displayed when opening the pirated version of Minecraft. TutuApp, alongside a similar piracy storefront called TweakBox and the now-defunct AppValley, also offer what the companies claim are “VIP” subscriptions. In the case of TutuApp, that means no ads and access to exclusive “VIP customer service” for these pirated games and apps, whatever that may involve.

Here’s the story of how I installed TutuApp on my own phone, and got more than I bargained for:

These apps — TutuApp, in particular — have alarmingly polished app stores with slick designs, user review systems, and app leaderboards. It’s not entirely clear where this software is coming from. Some of it may be made by in-house developers, while others, like the ad-free version of Spotify that appears to repackage the iOS app with an ad blocker built in, seem to be projects put out by independent developers. What is clear is that each one of these apps has independent permissions, and perhaps the independent ability to access unwanted parts of your phone; installing a version of Pokémon New World on your phone installs an entirely new enterprise certificate with permissions that are not easily decipherable.

There’s no telling what type of data these apps can access or what any one developer’s primary business model is. And while it’s unlikely your average iOS consumer would ever run across this software, it’s certainly not difficult to find. TutuApp runs a Twitter account with more than 170,000 followers, including links that, if followed from the Twitter mobile app, will take you to the company’s website where you can download the enterprise certificate and install the app store in a matter of seconds. And if you go digging, as TechCrunch did in its gambling and porn app investigation, you can find lists of thousands of individual apps that don’t require a storefront like TutuApp to download, so long as you have the necessary information needed to look up those apps’ certificates.

One surprising element we discovered about Apple’s enterprise certificate program is that it’s not a new way to sidestep the App Store; for years, it’s been viewed as one of the leakiest pipes in Apple’s platform infrastructure.

In the early years of iOS, jailbreaking remained the primary method for sideloading apps onto an iPhone, but it required downloading a modified operating system and forgoing timely updates, Apple customer support, and other perks of the iOS ecosystem that came with Apple’s walled garden approach. But as jailbreaking began to decline in popularity —and iOS became a ubiquitous platform with hundreds of millions of users — the enterprise program has emerged as a viable alternative.

Riley Testut, an iOS developer who’s been active in the video game emulation community for years, says he first came across enterprise certificates in 2014 when he distributed his GameBoy Advance emulator, GBA4iOS, using the program. “Basically, there was a service that was founded called MacBuildServer that would let you put a GitHub URL in its website and clone it into an iOS app. It was meant for testing open-source components,” Testut tells me. But, like Apple itself, MacBuildServer wasn’t closely looking at the apps that were being compiled using its automated service.

So Testut tried using an enterprise certificate to let people put his emulator on their iPhones — for a few moments, anyway. “When I released GBA4iOS, Apple revoked the certificate like 30 minutes after it was launched,” he says, likely because Testut was tweeting about it, and it was closely followed by Apple blogs at the time.

Still, savvy users could simply change the date of the iPhone and disable its ability to pull the time and day from the internet, which let the emulator keep working. But Apple ultimately closed that loophole, too. Testut is currently working on a new Nintendo emulator called Delta that he plans to try and distribute through new means in the future, although he won’t say exactly what method he’s pursuing.

But unwanted Game Boy emulators, pirated software, and porn aren’t the only ways that Apple’s enterprise certificate program has grown beyond Apple’s ability to easily control. Over the years, it’s become a backbone of large tech companies that build many of their own software tools.

In the case of massive Silicon Valley giants like Facebook and Google, a number of infrastructure tools — everything from workplace communication to shuttle bus coordination — run on these internal apps. When Apple began wholesale revoking Facebook and Google’s certificates in response to the VPN apps, in what some view as a kind of warning shot, employees at those companies were unable to get work done, check what meals were being served in the cafeteria, or even figure out how to get home.

While that kind of dependence on internal apps is reserved for only the biggest software companies, it’s a widely accepted practice in the tech industry to distribute tools to your employees using the enterprise program. If your employees use iPhones, and you need mobile tools that you only want your employees to be able to access, sources tell The Verge that enterprise program is effectively the best option.

By comparison, App Store review process makes pushing out new versions tedious and cumbersome, while Apple’s TestFlight platform is designed mainly for small development teams and startups that want to distribute apps to beta testers. So if you work in the Bay Area for a company that makes any kind of software, chances are you have apps on your phone designed only for you and your co-workers that are accessible only with the right certificate.

But as software companies have gotten bolder about using Apple’s workaround — since Apple never told them no — they’re starting to push the boundaries of what’s acceptable. Technically, Apple’s guidelines say you should only be using the program to distribute apps for internal use. “Enroll in the Apple Developer Enterprise Program only if you intend to distribute proprietary apps to employees within your organization,” reads the description of the requirements when trying to enroll in the program through Apple’s website. “If you intend to distribute apps outside of your organization through the App Store, enroll in the Apple Developer Program.”

But some companies see the enterprise program as a legitimate, even encouraged, way to get around App Store requirements to distribute everything from beta versions of public software to apps designed only for contract workers in the on-demand economy. It’s this mentality, and Apple largely turning a blind eye toward this form of public app installation, that led both Google and Facebook to think they could get away with distributing VPN apps to research participants in ways that blatantly violated Apple’s policies. And if large companies can get away with it, so too can small, unheard-of entities peddling pirated content on marketplaces like TutuApp.

Photo by Amelia Holowaty Krales / The Verge

Apple did not immediately respond to a request for comment for this story. But in a statement it issued to Reuters, the company said it planned to be more proactive. “Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely,” an Apple spokesperson said. “We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

Additionally, Apple plans to require developers to verify their identities using two-factor authentication. That could cut down on the practice of forging, loaning, or selling enterprise certificates, as Testut suspects many Chinese operations are engaging in. “Every time Apple revokes a certificate, which happens once every few months or so, they just somehow get another one,” he tells me. There is the possibility, he adds, that a number of companies in China maintain robust enterprise program subscriptions for the sole purpose of selling access to independent app makers that want to distribute software outside the App Store.

But Testut doesn’t think there is a best of both worlds solution for Apple. “I don’t know if there’s a feasible way to simultaneously have the ability for companies to install an unlimited number of apps to their employees, but also maintain oversight,” he says. “I think Apple will just be more assertive now in actively banning them. I think before they didn’t care enough, and now… well, just everyone knows about it.”

As for the future of sideloading on iOS, Testut thinks so long as Apple itself has a way to get an internal app onto an iOS device, so too will third-party developers. “I think as long as there is some way out there to do it, people will keep doing it.”


When WhatsApp went down, Brazilian workers’ jobs went with it


Apple botched the MacBook Pro notch


The MLB may launch streaming service for local games — no cable TV required

View all stories in Tech


Calling it now: Apple is going to lock this shit down and phase it out in favor of Testflight betas.

while Apple’s TestFlight platform is designed mainly for small development teams and startups that want to distribute apps to beta testers

I don’t think this will work for companies like Facebook and Google. If Apple is so bold to make Facebook and Google’s development lives impossible, the iPhone will no longer have a Facebook, Instagram, WhatsApp, Facebook Messager, Gmail, or Google Maps app and that could easily make people switch to Android. Apple simply can’t afford to loose those apps from the app store.

All this only highlights how badly the single app store idea doesn’t work. If the US FTC had any teeth, they would force Apple to allow sideloaded apps (like Android), or 3rd party app stores, because Apple is operating a monopoly on their platform and the iPhone has about 60% of the market in the US. I feel that workarounds like these are the only thing keeping Apple’s walled garden holding up in court.

Where’d you get that 60% marketshare number? From what I can see, iOS has something around 40-45% of the market, and 35-40% of device sales a quarter.

And having a monopoly on your own platform isn’t actually a thing, at least in the US. The question is whether or not the platform is a monopoly in its market, in this case, smartphones.

Apple’s walled garden is akin to Microsoft and Sony walled gardens with game systems. The device is an appliance, and the content is controlled by the vendor.

It’s not a "monopoly" in the legal sense; you’re buying hardware and a software license, and that license allows you to do certain things. Just like Xbox and PlayStation, you can only buy content from the store the vendor provides with the operating system.

They are under no obligation to make it easy to install other operating systems since it isn’t in their business model. You can install another operating system and use that on the device if you so choose, but the manufacturer should not be required to make it easy.

Antitrust is complicated, and people have difficulty understanding it.

I’ll add another analogy.

Apple has a "monopoly" in the form of the App Store only in the sense that Whole Foods has a "monopoly" in its grocery stores.

Both get to choose which products are sold there and at what prices. They can reject suppliers that don’t meet their standards for whatever reason in their sole discretion.

There is nothing monopolistic about that in the eyes of government regulators.

Apple owns the App Store – it does not have monopolistic control of the market for mobile mobile devices and software.

Interesting… Would there be a different assessment if the Apple ecosystem became dominant to the extent Windows did in the 90s, and could the need to avoid this be one reason why Apple maintains high prices?

Any chance we could get a link to that background??? <3

Microsoft is using TestFlight. My understanding is they are using it internally, in addition to externally. For example, I get OneDrive betas pushed to my phone via TestFlight.

Fun fact, we also receive developer cert’s for internal apple apps too.

So it’s not just an external aspect, we use them internally for the same reasons (Mac Caffe, Commute, Meetings etc.).

Major changes to the program will also hurt internally, so here’s hoping there’s a better validation check than pushing everything to TestFlight (which I honestly can’t see as a working solution)

Stepping back, this was added for a simple reason: Apple wanted businesses to use iDevices for LOB applications. They’re not going to put their proprietary apps up on the App Store for everyone to download. So they need a way to distribute apps outside of the App Store (or, a way to do it easily inside the App Store). Moreover, businesses don’t typically install all the bits one bit at a time, they do it by making a master image and then imaging hardware as needed. This ensures that each machine is identical and isn’t missing things.

If Apple hadn’t done it – businesses would be far, far less inclined to use iDevices, especially larger businesses.

Where Apple went wrong is that they didn’t control this necessary feature to the same degree they did apps in the public store. A better solution would have been to offer a way to apply an image to a new device.. similar to an Apple iOS update and have Apple vet the image. Included in the image would be a PKI key that identifies the business owning the software. Then any app that’s signed with the key could be downloaded from the regular App Store. If you try installing it on an iDevice that’s not one of the business’ the app won’t run (or better – the install process would fail).

I am pretty sure that no self-respecting company would like to disclose their internal software to apple – the violations of the Human Interface Guidelines alone would result in a lifetime ban.

The company creates and distributes a suite of developer tools for an annual fee of just a few hundred dollars that allows sketchy apps onto the iPhone

don’t, just don’t.

that’s essentially the same as saying supermarkets sell knives for just a few dollars that contribute to dozens of stabbings every year.

shame about the sensationalism, I’m sure the rest of the article was probably ok.

I’m not a software developer, so this is probably a dumb suggestion.

Why can’t Apple create a feature on the App Store where companies can password protect entry to a mini App Store that only their employees can access and download these internal apps?

That would give Apple some gatekeeper power – seeing both the companies distributing and the users downloading – while they could partition off the actual apps so Apple isn’t spying on them.

Bad idea? Or does that not solve anything?

Please stop blowing up my spot and let me play my Gameboy ROMs in peace.

Surely at the end of the day it’s none of Apple’s business if users want to disregard their rules and take the risk…

I just want to use my phone in peace, regardless of what content I delve into on my device. And since iOS is such a closed walled garden that’s why I stick w/ Android

Your first sentence could also have been an argument for the walled garden though. Apart from zero days and tools that we assume are only available to government agencies, I think the iOS security landscape is more peaceful.

View All Comments
Back to top ↑