Apple’s iOS platform has a seedy underbelly that, for years, has been lurking largely unseen, letting both app makers and iPhone owners bypass the App Store’s restrictions to load pirated games, media, and all manner of software that Apple forbids. The most staggering part of this illicit app underworld? Apple is responsible.
The company creates and distributes a suite of developer tools for an annual fee of just a few hundred dollars that allows sketchy apps onto the iPhone. While the result isn’t quite as robust as the jailbreaking community that emerged in the iPhone’s earliest years, it’s abetting perhaps an even murkier landscape of apps with uncertain security, privacy permissions, and potentially ulterior motives when it comes to making money.
Last month, TechCrunch reported that Facebook was distributing a data-siphoning VPN app to adults and teens that gave it near-complete access to their iPhone data in exchange for a mere $20 a month in gift cards. Facebook was able to do what it did by using an Apple-made developer tool that was explicitly designed to let apps bypass the App Store, and that, until now, it has largely escaped scrutiny.
The Apple Developer Enterprise Program, as it’s called, is a platform similar to the company’s standard app development one that’s designed specifically for companies with hundreds to thousands of employees. By paying $300 a year for a certificate license, you’re able to distribute apps that have not undergone App Store review to many thousands of people. Because Apple has no hand in reviewing the software or checking which permissions it might be tapping into, these apps have the potential to violate iOS policies on user privacy, adult content, copyright infringement, and other areas of questionable legality, like online gambling.
Historically, the program is used for testing and internal distribution of apps before they’re sent to the App Store for official review. Google, Facebook, and countless other app makers all use the program to test internal versions of iOS software, like Instagram and Google Maps, before those versions become official updates, a process many companies say is a necessary part of large-scale development to avoid bugs, security flaws, and to improve overall quality of the software. Apple advertises it as a way for companies to distribute apps that have a purpose only for employees, too. For instance, Google has one to manage its employee shuttles to and from San Francisco and its Mountain View headquarters, as do many other large tech companies in the Bay Area.
But, as previous reports have found and according to multiple employees of large tech companies who spoke to The Verge, Apple’s enterprise program contains few oversight protections that would prevent developers from abusing their certificates. It’s not just Facebook and Google’s egregious VPN apps or the occasional flagrant TV and movie torrent software, either. A trail of virtual breadcrumbs has since led reporters to unearth thousands of prohibited iOS apps, from gambling and porn software to pirated games and ad-free versions of Spotify. And it now looks as if an entire underground world of secretly sideloaded apps that violate Apple’s terms are available direct to consumers — if you know where to look.
As reported by Reuters last week, numerous companies operate illicit app stores that utilize the enterprise program to sidestep Apple’s screening processes. Not only must the storefronts be sideloaded, but nearly every piece of software available in those storefronts must also be independently sideloaded, revealing confusing webs of what appear to be fake companies with access to Apple’s enterprise certificates. As TechCrunch reported earlier this week with regard to gambling and porn apps, some of these certificates are forged or stolen, with registrations leading to legitimate companies, like the US office of a Canadian sand and gravel company in one case, that seem to have no reason to be in the business of knock-off app development. Others seem to be entirely invented entities like “Century Securities Co., Ltd.” and “BUTA, OOO.”
One such marketplace, TutuApp, is a Hong Kong-based purveyor of ripped-off Nintendo intellectual property in the form of such illegitimate games as Pokémon New World and an app plainly called Pokémon remake. It also offers pirated versions of mobile Minecraft, Clash Royale, the aforementioned ad-free Spotify, and what appear to be knock-off games spanning franchises like Yu-Gi-Oh, The Simpsons, and numerous other well-known US and Japanese gaming and entertainment brands.
In some cases, these apps are plastered with ads. In one particularly fascinating example, an ad for the retail version of Minecraft is displayed when opening the pirated version of Minecraft. TutuApp, alongside a similar piracy storefront called TweakBox and the now-defunct AppValley, also offer what the companies claim are “VIP” subscriptions. In the case of TutuApp, that means no ads and access to exclusive “VIP customer service” for these pirated games and apps, whatever that may involve.
Here’s the story of how I installed TutuApp on my own phone, and got more than I bargained for:
These apps — TutuApp, in particular — have alarmingly polished app stores with slick designs, user review systems, and app leaderboards. It’s not entirely clear where this software is coming from. Some of it may be made by in-house developers, while others, like the ad-free version of Spotify that appears to repackage the iOS app with an ad blocker built in, seem to be projects put out by independent developers. What is clear is that each one of these apps has independent permissions, and perhaps the independent ability to access unwanted parts of your phone; installing a version of Pokémon New World on your phone installs an entirely new enterprise certificate with permissions that are not easily decipherable.
There’s no telling what type of data these apps can access or what any one developer’s primary business model is. And while it’s unlikely your average iOS consumer would ever run across this software, it’s certainly not difficult to find. TutuApp runs a Twitter account with more than 170,000 followers, including links that, if followed from the Twitter mobile app, will take you to the company’s website where you can download the enterprise certificate and install the app store in a matter of seconds. And if you go digging, as TechCrunch did in its gambling and porn app investigation, you can find lists of thousands of individual apps that don’t require a storefront like TutuApp to download, so long as you have the necessary information needed to look up those apps’ certificates.
One surprising element we discovered about Apple’s enterprise certificate program is that it’s not a new way to sidestep the App Store; for years, it’s been viewed as one of the leakiest pipes in Apple’s platform infrastructure.
In the early years of iOS, jailbreaking remained the primary method for sideloading apps onto an iPhone, but it required downloading a modified operating system and forgoing timely updates, Apple customer support, and other perks of the iOS ecosystem that came with Apple’s walled garden approach. But as jailbreaking began to decline in popularity —and iOS became a ubiquitous platform with hundreds of millions of users — the enterprise program has emerged as a viable alternative.
Riley Testut, an iOS developer who’s been active in the video game emulation community for years, says he first came across enterprise certificates in 2014 when he distributed his GameBoy Advance emulator, GBA4iOS, using the program. “Basically, there was a service that was founded called MacBuildServer that would let you put a GitHub URL in its website and clone it into an iOS app. It was meant for testing open-source components,” Testut tells me. But, like Apple itself, MacBuildServer wasn’t closely looking at the apps that were being compiled using its automated service.
So Testut tried using an enterprise certificate to let people put his emulator on their iPhones — for a few moments, anyway. “When I released GBA4iOS, Apple revoked the certificate like 30 minutes after it was launched,” he says, likely because Testut was tweeting about it, and it was closely followed by Apple blogs at the time.
Still, savvy users could simply change the date of the iPhone and disable its ability to pull the time and day from the internet, which let the emulator keep working. But Apple ultimately closed that loophole, too. Testut is currently working on a new Nintendo emulator called Delta that he plans to try and distribute through new means in the future, although he won’t say exactly what method he’s pursuing.
But unwanted Game Boy emulators, pirated software, and porn aren’t the only ways that Apple’s enterprise certificate program has grown beyond Apple’s ability to easily control. Over the years, it’s become a backbone of large tech companies that build many of their own software tools.
In the case of massive Silicon Valley giants like Facebook and Google, a number of infrastructure tools — everything from workplace communication to shuttle bus coordination — run on these internal apps. When Apple began wholesale revoking Facebook and Google’s certificates in response to the VPN apps, in what some view as a kind of warning shot, employees at those companies were unable to get work done, check what meals were being served in the cafeteria, or even figure out how to get home.
While that kind of dependence on internal apps is reserved for only the biggest software companies, it’s a widely accepted practice in the tech industry to distribute tools to your employees using the enterprise program. If your employees use iPhones, and you need mobile tools that you only want your employees to be able to access, sources tell The Verge that enterprise program is effectively the best option.
By comparison, App Store review process makes pushing out new versions tedious and cumbersome, while Apple’s TestFlight platform is designed mainly for small development teams and startups that want to distribute apps to beta testers. So if you work in the Bay Area for a company that makes any kind of software, chances are you have apps on your phone designed only for you and your co-workers that are accessible only with the right certificate.
But as software companies have gotten bolder about using Apple’s workaround — since Apple never told them no — they’re starting to push the boundaries of what’s acceptable. Technically, Apple’s guidelines say you should only be using the program to distribute apps for internal use. “Enroll in the Apple Developer Enterprise Program only if you intend to distribute proprietary apps to employees within your organization,” reads the description of the requirements when trying to enroll in the program through Apple’s website. “If you intend to distribute apps outside of your organization through the App Store, enroll in the Apple Developer Program.”
But some companies see the enterprise program as a legitimate, even encouraged, way to get around App Store requirements to distribute everything from beta versions of public software to apps designed only for contract workers in the on-demand economy. It’s this mentality, and Apple largely turning a blind eye toward this form of public app installation, that led both Google and Facebook to think they could get away with distributing VPN apps to research participants in ways that blatantly violated Apple’s policies. And if large companies can get away with it, so too can small, unheard-of entities peddling pirated content on marketplaces like TutuApp.
Apple did not immediately respond to a request for comment for this story. But in a statement it issued to Reuters, the company said it planned to be more proactive. “Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely,” an Apple spokesperson said. “We are continuously evaluating the cases of misuse and are prepared to take immediate action.”
Additionally, Apple plans to require developers to verify their identities using two-factor authentication. That could cut down on the practice of forging, loaning, or selling enterprise certificates, as Testut suspects many Chinese operations are engaging in. “Every time Apple revokes a certificate, which happens once every few months or so, they just somehow get another one,” he tells me. There is the possibility, he adds, that a number of companies in China maintain robust enterprise program subscriptions for the sole purpose of selling access to independent app makers that want to distribute software outside the App Store.
But Testut doesn’t think there is a best of both worlds solution for Apple. “I don’t know if there’s a feasible way to simultaneously have the ability for companies to install an unlimited number of apps to their employees, but also maintain oversight,” he says. “I think Apple will just be more assertive now in actively banning them. I think before they didn’t care enough, and now… well, just everyone knows about it.”
As for the future of sideloading on iOS, Testut thinks so long as Apple itself has a way to get an internal app onto an iOS device, so too will third-party developers. “I think as long as there is some way out there to do it, people will keep doing it.”