Reuters ) – Software pirates have hijacked technology designed by Apple to distribute hacked versions of Spotify, Angry Birds, Pokemon Go, Minecraft and other popular apps on iPhones, Reuters has found. Software Distributors like TutuApp, Panda Helper, AppValley and TweakBox have found ways to use digital certificates to access a program Apple introduced to allow businesses to distribute business apps to their employees without going through Apple's tightly-controlled App Store.
Using so-called enterprise developer certificates, these pirate operations provide modified versions of popular apps to consumers so that they can stream music without ads and bypass fees and rules in games, deprive Apple and legitimate revenue makers.
TutuApp, Panda Helper, AppValley and TweakBox did not respond to multiple comment requests.
Apple has no way to track the real-time distribution of these certificates or the proliferation of mismodified apps on their phones, but it can cancel the certificates if it finds improper use.
"Developers who abuse our corporate certificates, violate the Apple Developer Enterprise software vendor and will have their certificates terminated, and if appropriate, will be removed from our developer program altogether," an Apple spokesman told Reuters. "We continuously evaluate cases of abuse and are prepared to take immediate action."
After Reuters initially contacted Apple for comment last week, some of the pirates were banned from the system, but they used different certificates over the days and were operational again.
"There is nothing that prevents these companies from doing this again from another team, another developer account," said Amine Hambaba, security firm of software company Shape Security.
Apple confirmed a media report Wednesday that it would require two-factor authentication ̵
Great publishers Spotify, Rovio, and Niantic have started fighting back.
Spotify refused to comment on the issue of modified apps, but the streaming music provider earlier this month said that the new terms of service will shut down users who "create or distribute tools designed to block ads" on their service.
Rovio, the producer of Angry Birds mobile games, said that it is actively working with partners to cope with violations "in favor of both our player community and Rovio as a business."
Niantic, who makes Pokemon Go, says that players using pirated apps that make it possible to cheat on the game are regularly banned for violating the terms of service. Microsoft, which owns the creative building game Minecraft, refused to comment.
Siphoning of Revenue
It is unclear how much revenue pirate distributors are throwing away from Apple and legitimate app manufacturers.
TutuApp offers a free version of Minecraft, which costs $ 6.99 in Apple's App Store. AppValley offers a version of Spotify's free streaming music service with the ads removed.
Distributors make money by charging $ 13 or more per year for subscriptions to what they call "VIP" versions of their services, which they say are more stable than the free versions. It is impossible to know how many users are buying such subscriptions, but the pirate distributors have combined more than 600,000 followers on Twitter.
Security researchers have long warned about misuse of corporate developer certificates, which act as digital keys that tell an iPhone a program downloaded from the Internet, can trust and open. They are the centerpiece of Apple's business apps program, enabling consumers to install apps on the iPhone without Apple's knowledge.
Last month, Apple quickly swapped Facebook and Alphabet from using corporate certificates after using them to distribute data collection apps to consumers.
Distributors of pirated apps seen by Reuters use certificates obtained in the name of legitimate businesses, although it is unclear how. Several pirates have imitated a subsidiary of China Mobile. China Mobile did not respond to requests for comment.
Tech news site TechCrunch earlier this week reported that certificate abuse also enabled the distribution of apps for pornography and gambling, both banned from the App Store.
Since the App Store debuted in 2008, Apple has attempted to portray iPhone as safer than competing Android devices because Apple is considering and approving all apps distributed to the devices.
Earlier, hackers "jailbroke" iPhones by modifying their software to avoid Apple's controls, but that process canceled the iPhone's warranty and frightened by many informal users. Abuse of corporate certificates seen by Reuters does not depend on jailbreaking and can be used on unmodified iPhones.
( Reporting by Stephen Nellis and Paresh Dave in San Francisco; Editing by Greg Mitchell and Bill Rigby )