“App pirates are letting you download free versions of paid iPhone apps by taking advantage of a quirk in Apple’s iTunes approval process,” Jose Pagliery reports for CNNMoney. “The pirated app website, vShare, even works on iPhones that aren’t ‘jailbroken.’ Traditionally, the only way to install an app from outside the official app store is to jailbreak your iPhone. But vShare has figured out how to get around that, according to cybersecurity firm Proofpoint and several other researchers contacted by CNNMoney.”
“Apple lets corporations create their own internal apps for employees. If a company pays $299 per year and joins the Apple Developer Enterprise program, its apps get a special, trusted certificate. Those apps don’t make it to the official App Store, so they aren’t reviewed by Apple itself. But your iPhone is allowed to download them anyway, because Apple servers vouch for that certificate,” Pagliery reports. “According to Proofpoint, vShare pirates managed to get their hands on several Apple enterprise certificates, using them to create a vShare app. The vShare app is itself a portal to an app store of its own.”
“On vShare, the most frequently downloaded iOS apps are nearly all free, pirated versions of top paid apps on the real iTunes App Store,” Pagliery reports. “It’s unclear how many times pirated copies of games like ‘Minecraft: Pocket Edition’ or ‘Geometry Dash’ have been illegally downloaded. But those apps have been ‘liked’ by downloaders more than 1.4 million times. On Apple’s app store, Minecraft sells for $6.99, and Geometry Dash costs $1.99.”
“Proofpoint said it noticed that vShare has been cycling through four different Apple-issued certificates to pull off its feat, and Proofpoint reported the issue to Apple,” Pagliery reports. “On Tuesday night, CNNMoney was still able to download the vShare app onto an iPhone 6 running iOS 8.4, but the app was unable to install, indicating that Apple might have already revoked at least one of its certificates.”
Read more in the full article here.
MacDailyNews Take: Who knows what’s actually in those pirated games? Malware payloads? Could be anything really. It’s certainly not worth risking your personal data in order to
savesteal $6.99.
Yeah I love how people complain to Apple when their phones no longer work after they jailbreak…or find other ways like this one to “beat the system”. #InstantKarma
iOS is just as secure as TC is straight.
Really DUMB comment!
Yeah I saw this earlier today and actually briefly considered trying to download a few games but didn’t because of the obvious security implications. Not because they are free, per se, but more so just to see if I’d enjoy them and like them enough to purchase. I really wish the official Apple App Store had a way of trial-ing an app for a limited amount of time.
Oh look. The Apple’s refusal to block the security hole that allows Wirelurker (MacHook) iOS malware to exist has bitten Apple yet again.
This really is a big FAT security hole in how Apple deals with Enterprise iOS users that Must-Be-Stopped already!
Wake up Apple! This security hole has been exploited since at least JUNE 2014 ! ! !
Click to access unit42-wirelurker.pdf
From the source article:
That’s puts Apple (AAPL, Tech30) in the position of playing whack-a-mole, Kalember noted. Instead, Apple would be better off ditching its current model and forcing all corporate app makers to stick to its well-guarded App Store and demand employee logins, he said.
EXACTLY.
If that happens apple will lose a lot of corporates. Version control of apps is far too important for mission critical systems
Yup. But there has to be a way to match a security certificate with one and only one app series, no imitations, no warez malware versions allowed. Not my problem, but Apple must change this situation. The WireLurker problem has been public since November 6, 2014. Tsk tsk Apple!
iOS as a platform poses some serious challenges to the developers who aren’t interested in selling, but want a small, custom-built app for their own purpose. I have often thought of building a simple app that would allow my small team to manage our club activities. The app would be easy to develop, I could probably do it in a week of after-hours development, and it would be quite useful to all the members of our little club. I don’t want to bother doing it, though, as there is no reasonable deployment option for me. I would have to submit it to Apple for review, and even if they approved it, the app would be out there for everyone to see, which I don’t want. The other option is paying the $300 enterprise certificate, set up an MDM server to deploy this certificate, then bring all the members’ iPhones into this MDM environment, all just for one lousy app…
On literally every other computing platform (Mac OS, Linux, Windows, Android, Blackberry, Win mobile, etc), you can ‘sideload’ your own applications. You may or many not receive some security warnings about the apps not being certified, but you have a way to manually install a home-grown app on a device. Not so with iPhones. The only way you can have an app you developed yourself installed on an iPhone is either through the Apple’s public App Store, or through the costly and cumbersome Enterprise Programme. This may not affect that many people, but I have no doubt that there are many active iOS developers who, in their spare time, wouldn’t mind hacking out a simple app that would take care of some simple matters related to their private lives, hobbies, etc. I’ve done this on other platforms many times before (Mac, Palm OS), and I’ve seen it done quite often. Apple, in their infinite wisdom on matters of security, had made it impossible for me to do this on the iPhone.
My work-around has been (over the last seven years) to essentially develop the same functionality as a web site and send my club members to that site. It is nowhere near as elegant and constrained as a custom app, but it works; still, it is an inelegant workaround, when I could have an app worthy of the best mobile ecosystem on Earth…
You can sideload a signed app without using an MDM.
Have you considered putting it on the App Store but with an auth layer that will make it unusable for Joe public?
This is such old news. VShare has existed for years. I must say though now, vShare now has no other use than for pirating, as people can now sideload emulators that are open source, so now, I have no other reason to have it, and have removed it, as I don’t need pirated apps.
Sent from my iPhone
>
Have not heard of this before, went to the website and was looking around at the comments, looks like a bunch of the apps are not working with their newest updates.