Misuse of enterprise and developer certificates

There is some distribution of apps outside the App Store using enterprise certificates and developer certificates, which allows those apps to be installed on non-jailbroken iOS devices. Using this to distribute apps to the public violates Apple's developer agreements and can get those certificates revoked by Apple.

Getting an enterprise certificate costs $299/year and requires a phone call with Apple to verify that you have a real company and are using the certificate for a legitimate purpose; after you have one, you can use it to distribute the app to unlimited numbers of devices, since it's intended for companies that want to distribute an internal app to lots of employees. There is speculation that misused enterprise certificates sometimes come from companies that got the certificates from Apple for a seemingly-legitimate purpose, then mysteriously "went out of business" and started up again using the enterprise certificates for shadier purposes.

Some apps used expired enterprise certificates that required the user to set the device's time back to a certain date (before the profile was revoked) before installing the app, called the "date trick". The ability to use expired profiles like that was fixed with iOS 8.1 in October 2014. In April 2015, people released an app that can be installed with an expired enterprise certificate if the device is in airplane mode (no internet connection), with the help of a tool on a desktop computer since the device can't access the internet at that point to download the app.

It's not known how often iOS checks after installation to see whether an enterprise certificate has been revoked (which then means you can't use the app anymore unless you have a trick for reinstalling it) - it seems to be "once in a while".

Related, there are also people who sell access to normal iOS developer certificates, which allow you to self-sign apps to install them on non-jailbroken iOS devices, meant for developers working on apps. These certificates cost $99/year from Apple (and anyone can get one), and each certificate can be associated with 100 devices, so people sometimes sell some of those "UDID slots".

Uses and risks
People misuse certificates to distribute pirated App Store apps to non-jailbroken iOS devices. There are various piracy sites and tools that distribute cracked App Store apps that have been re-signed using certificates.

People also misuse certificates to distribute apps that aren't allowed on the App Store (usually apps that Apple considers to have copyright problems, such as game emulators and movie piracy tools) to non-jailbroken devices. Game emulators themselves are legal software in the US, but Apple considers them associated with copyright infringement probably because people can pirate ROMs for games (although it is legal to dump your own ROMs from games you own). Websites such as iOSEmulatorSpot use this method to redistribute emulators and other free apps developed by other people that can't be distributed on the App Store (mostly because of copyright problems), mostly without permission from the app authors.

Misuse of certificates has also been part of jailbreaking tools, and it can be used by malicious people as part of malware (see malware for iOS).

Research papers about security risks and threats related to enterprise certificate distribution:


 * "Apple without a shell – iOS under targeted attack", by Tao Wei, Min Zheng, Hui Xue, and Dawn Song - Virus Bulletin Conference, September 2014
 * "Enpublic Apps: Security Threats Using iOS Enterprise and Developer Certificates", by Min Zheng, Hui Xue, Yulong Zhang, Tao Wei, and John C.S. Lui - ASIA CCS'15, April 2015

Zeusmos and KuaiYong (January 2013)
"New services bypass Apple DRM to allow pirated iOS app installs without jailbreaking on iPhone, iPad" (TheNextWeb, January 2013): "It’s unclear exactly how Zeusmos achieves its goal, but judging from the pricing and the correlation between UDIDRegistrations, it appears to utilize a developer licensing certificate to install ‘cracked’ apps which have had their DRM (copy protection) stripped."

KuaiYong (April 2013)
"When Criminals Exploit Apple's Own App Distribution System, What Hope Is There Of Stamping Out Piracy?" (Forbes, April 2013): "Remarkably, the site is powered by Apple’s own enterprise app distribution system, designed to allow large organizations to provide internal apps to staff. What KuaiYong has done is buy one license and then distribute apps to its customers on the pretext that they’re the company’s own staff."

"Chinese website allows pirating of iOS apps, no jailbreaking required" (Examiner, April 2013): "[Kuaiyong] uses Apple's own enterprise app deployment technology."

GBA4iOS and MacBuildServer (July 2013) and GBA4iOS 2.0 (February 2014)
"The Biggest Beta Test in iOS History" (Riley Testut, August 2013): "As you can probably guess, MacBuildServer was using the Enterprise Distribution method to allow installation on non-jailbroken devices. Because GBA4iOS was open-sourced on Github, MacBuildServer was able to download a copy of the code to its servers, compile it into an app, and then distribute it under their own Enterprise Certificate...Apple did what it could to stop this: they revoked MacBuildSever’s enterprise certificate. While it initially seemed that this meant no more downloads of GBA4iOS, it has since been discovered that setting an iOS’ device date to before July 16 (the day Apple revoked the certificate) allows users to download the app again, and after the download they are free to set the date back to the current date. Unfortunately, this is far from a permanent solution, as once in a while iOS checks to see whether the certificate is valid, and if it finds it isn’t, GBA4iOS will no longer open, forcing the user to set their device’s date back again."

"Apple Slams The Door On Super Mario" (ReadWrite, July 2013): "'Yesterday someone from Apple called to Serge, our founder, and noticed that [the] enterprise certificate registered to our company was[sic] been used violating Apple’s agreements.'"

"GBA4iOS Is Dead. Long Live GBA4iOS" (Riley Testut, October 2014): "Sure enough, less than thirty minutes (!!) after we released GBA4iOS 2.0, Apple revoked our new certificate once again, but all that did was force people to set the date back to install the app; an inconvenience for sure, but far easier than jailbreaking the device. We’ve continued to update the app since, and it’s survived several iOS updates since then – such as 7.1 and 8.0 – none of which have prevented the Date Trick from working. Of course, that ends with iOS 8.1 when it is released later this month."

Pangu (June 2014) and Pangu8 (October 2014)
Pangu and Pangu8 use an expired enterprise certificate to help inject the jailbreak, which is removed after the jailbreak is complete.

"iOS 7.1.1 jailbreak uses expired enterprise certificate loophole" (iDownloadBlog, June 2014): "According to his tweets, MuscleNerd says that the most unique part of the Pangu jailbreak is that it uses an expired enterprise certificate as an injection vector. He adds that enterprise certificates are something that have been out of bounds for the iPhone Dev Team, due to legal reasons, but he is glad that this method was used rather than the Pangu team burning through something more native and powerful."

"Jailbreak Should not Tolerate Regional Discrimination" (Pangu Team, March 2015): "In Pangu 7 and Pangu 8, we leveraged expired enterprise certificates to initial the jailbreaking process. We are very glad that some of jailbreak fans donated their own expired enterprise certificates to us. On the other hand, an enterprise certificate only costs a few hundreds dollars . We do not see any reason to steal an enterprise certificate."

WireLurker and Masque Attack (November 2014)
Misuse of certificates can also be part of malware.

"WireLurker: A New Era in OS X and iOS Malware" (Palo Alto Networks, November 2014): "Today we published a new research paper on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months...It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning"

The Palo Alto Networks research paper about WireLurker has a lot of detail about its use of enterprise certificates, including:

"'The use of enterprise provisioning explains how these applications can be installed on non-jailbroken iOS devices. Yet, on the first attempt to run a WireLurker application on iOS, users are presented with a dialog requesting confirmation to open a third-party application (Figure 16). If the user chooses to continue, a third-party enterprise provisioning profile will be installed and WireLurker will have successfully compromised that non-jailbroken device. Furthermore, users are typically none the wiser, since the application otherwise operates just like the legitimate version.'"

"'The use of enterprise provisioning to install applications on non-jailbroken devices is not a new concept. This technique has been widely abused by game fans and a number of Chinese application distribution platforms. Since January 2013, there have been at least five Mac/PC tools that have abused enterprise provisioning and the libimobiledevice library to install pirated applications on non-jailbroken devices in China: “PP Helper”(PP助手), “KuaiYong Helper”(快用助手), “91 Mobile Helper”(91手机助手), “KuaiZhuang”(快装) and “SouApple”(搜苹果). It is noteworthy that the “PP Helper” application is also downloaded and installed by WireLurker.'"

"'In September 2014, Tao Wei et al presented at Virus Bulletin on the risk of abusing Apple’s enterprise distribution program. According to their research, any application can bypass Apple review, arbitrarily invoke private iOS APIs, monitor user behavior and exploit vulnerabilities in a non-jailbroken iOS device by leveraging an enterprise provisioning profile. WireLurker is a prime example of how this is no longer a theoretical risk, but an active threat as seen in the wild.'"

"Masque Attack: All Your iOS Apps Belong to Us" (FireEye, November 2014): "In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation."

Popcorn Time (April 2015)
"Popcorn Time releases iOS app tomorrow, no jailbreak needed" (TorrentFreak, April 7, 2015): "'All a user will need to do to get Popcorn Time on a non jailbroken iOS device is to download the ‘iOS installer’ to his desktop computer, connect his iOS device to the computer with a USB cable, and then just follow simple instructions that will download the app on the iOS device.'"

"How Popcorn Time’s Piracy App Is Sneaking Onto iPhones" (Wired, April 8, 2015): "But the iOS Installer developer does hint that its workaround exploits 'the ability Apple gives to enterprises to install apps on their workers devices.' To those familiar with Apple’s security measures, that sounds like Popcorn Time is using Apple’s iOS Developer Enterprise Program...The Popcorn-Time.se developer confirmed in an email that the team is in fact using revoked or expired enterprise certificates for the installation, though it’s not exactly clear how merely putting the phone into airplane mode can trick it into accepting those old and invalid certificates."

25PP (June 2015)
25PP is an app marketplace similar to KuaiYong, including pirated apps.

"Of Ma And Malware: Inside China's iPhone Jailbreaking Industrial Complex" (Forbes, June 26, 2015): "And yet Alibaba’s 25pp marketplace doesn’t need the phone to be unlocked to install on iOS. It flouts Apple security rules in other ways. FORBES has learned the store breaks Apple policy by using an Enterprise Certificate to install itself on users’ phones. These certificates are supposed to be used by businesses to disseminate bespoke apps within the confines of the corporate network and are strictly not for commercial use. Apple could simply revoke the certificate, but it would be easy for Alibaba’s subsidiary to obtain a new one and start breaking the rules all over again. Apple and Alibaba’s inertia is more surprising when one considers what’s on 25pp, namely a lot of pirated software that rip off American creations."

Hacking Team (July 2015)
Hacking Team is a company that sells surveillance tools and services to governments and law enforcement agencies, and some of their tools use a valid enterprise certificate to aid installing them on a target device.

"Hacking Team hack reveals why you shouldn't jailbreak your iPhone" (MacWorld, July 6, 2015): "Researchers have also found so far that Hacking Team has a legitimate Apple enterprise signing certificate, which is used to create software that can be installed by employees of a company who also accept or have installed a profile that allows use of apps signed by the certificate. It was shown last November that an enterprise certificate combined with a jailbroken iOS device could be used to bypass iOS protections on installing apps. Further, Hacking Team had developed a malicious Newsstand app that could capture keystrokes and install its monitoring software."

Tweet by @esikur (Ralf (RPW)) (July 7, 2015): "Just did an OCSP check: Apple has revoked HT's enterprise certificate. (Reason: keyCompromise, Revocation Time: Jul 7 03:38:10 2015 GMT)"

YiSpecter (October 2015)
YiSpecter is malware that uses private APIs to perform malicious actions on both non-jailbroken and jailbroken iOS. It gets installed in the form of apps signed with enterprise certificates.

"YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs" (Palo Alto Networks, October 4, 2015): "YiSpecter consists of four different components that are signed with enterprise certificates. By abusing private APIs, these components download and install each other from a command and control (C2) server...Previously, the malware WireLurker demonstrated the ability to infected non-jailbroken iOS devices by abusing enterprise certificates, and academic researchers have discussed how private APIs can be used to implement sensitive functionalities in iOS. However, YiSpecter is the first real world iOS malware that combines these two attack techniques and causes harm to a wider range of users."

Pangu9 (July 2016)
In the initial Chinese release, as well as the v1.1 English version of Pangu9 for 9.3.3, Pangu uses an expired enterprise distribution certificate to sign the jailbreak payload app, instead of using a more powerful exploit to force the app in the system. The downside of this is that this certificate only lasts a year, and the app must be sideloaded before it can use the expired certificate.