Apple is learning why shortcut security is a bad idea

Read Full Article

When Apple launched its enterprise developer certificate program — which helps enterprises make their homegrown apps for employee use-only available through iTunes — it had to make a difficult convenience-vs.-security decision: how much hassle to put IT managers through to get their internal apps posted. It chose convenience and, well, you can guess what happened.

Media reports say pirate developers used the enterprise program to improperly distribute tweaked versions of popular apps — including Spotify, Angry Birds, Pokemon Go and Minecraft — while others used the platform to distribute porn apps along with real-money gambling apps. And all the bad guys had to do was lie to Apple reps about being associated with legitimate businesses. Apple didn’t bother to investigate or otherwise verify the answers.

Apple now has two ways to go: gut or severely limit its enterprise certificate program or pour in enough resources to effectively verify all answers before granting access. Any longtime Apple watchers know which route is more likely. Hint: The enterprise program aims to make it easier for companies to leverage iOS devices, but it doesn’t deliver a ton of direct revenue. Assigning talent to fix it when Apple is struggling to make its iPhone sales goals seems unlikely.

Let’s drill into what happened. First, courtesy of Reuters, comes the report of the software pirates. “These pirate operations are providing modified versions of popular apps to consumers, enabling them to stream music without ads and to circumvent fees and rules in games, depriving Apple and legitimate app makers of revenue,” the Reuters story said. “Apple confirmed a media report on Wednesday that it would require two-factor authentication — using a code sent to a phone as well as a password — to log into all developer accounts by the end of this month, which could help prevent certificate misuse.”

Two quick thoughts on Apple’s 2FA approach, assuming this reference is correct. First, texting a code is begging for a man-in-the-middle attack, and these pirates are well able to deliver such a move. There are far more secure 2FA options. Secondly, all this will do is verify that the person who created the account is the person who is right now trying to gain access. It doesn’t address the real issue here, which is that they were fraudulent applications initially.

The story of the porn and real-money gambling apps came from TechCrunch, and it delivers far more specifics about how easy these frauds were to commit, given Apple’s ultra-convenient approach.

Read Full Article