Hacker News new | comments | ask | show | jobs | submit login
Apple fails to block porn and gambling “enterprise” apps (techcrunch.com)
106 points by sharcerer 8 days ago | hide | past | web | favorite | 103 comments

> The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program

Really? We're there now? It's become Apple's "responsibility" to police every last corner of iOS? I feel like this should not be viewed as "Apple prevents developers from distributing their controversial apps" but rather "Apple prevents users from running controversial apps". If I want to have porn apps on my phone that is my business and no one else's.

This debate has been going on since the start of the App store, but now that macOS is steadily becoming more iOS-like and mobile devices are increasingly becoming people's only computing platform, it's becoming more important. For example, Apple removed an app that notified the user whenever a US drone strike caused fatalities because "it was objectionable to some users". There are a lot of objectionable things that are really important. Apple blocks VPN apps in China, for example, and since there's no other way to install apps besides compiling it yourself (which has to be done on a Mac, and even then the code signature expires after a week) there really isn't an option for almost everyone in China.

Apple is continually praised for their stance on privacy, but privacy doesn't mean so much when you don't have freedom. And Apple is hostile towards user freedom.


> Really? We're there now? It's become Apple's "responsibility" to police every last corner of iOS?

I find it disgusting, but really Apple is the only one to blame for that when they started aggressively policing and removing apps, and then marketing to customers based on that. I've heard people on HN state ad nauseam that they love that Apple does this, and that it's one of the reasons they live in the Apple ecosystem. They want to be protected from running apps that might do something objectionable (according to Apple's standard), and are absolutely willing to trade their freedom for some security.

I obviously don't agree with this at all (I refer you to Cory Doctorow's War on General Purpose Computing: https://www.youtube.com/watch?v=gbYXBJOFgeI ) but it is a position I can understand.

I am one of those people that buy into the Apple way.

That doesn't mean I expect them to review every single internal enterprise app that every company on the planet builds. I simply expect them to police the App Store so I am not wasting my money or destroying my phone/tablet.

Apple could have it both ways. Keep the App Store, but make sideloading possible—without this stupid certificate program. Make it semi-difficult: maybe users have to tap their version number twenty times or something. Just keep the avenue open.

It does not harm your security if other people are able to sideload apps. Apple should just flip the damn switch.

I figure part of it is the way malware plays out in PR terms. The headlines would read iOS malware steals private data, not Moron sideloads malware onto iPhone, subverting the appstore they already paid to curate.

Personal responsibility doesn't play much of a role in the media response to these incidents, so Apple are well motivated to prevent customers getting root access to their own devices. (To say nothing of the lucrative appstore business model.)

I recall sideloaded Android malware getting this kind of silly response. Hardly Google's fault if you go out of your way to compromise your device, but it can still make for bad publicity.

As it is, the only 'open avenue' on iPhone is to use the browser.

You're not wrong, but it doesn't excuse Apple's actions. Mac OS seems to get along well enough, as does Android despite some occasional bumps in the road. (The Android ecosystem has legitimate security issues regarding un-updatable devices, but that's not relevant here.)

We should all be pushing Apple to make their products more open, not asking them for be more stringent. I really do think that if public sentiment shifted in just the right way, we could see Apple allow sideloading. Steve Jobs is gone, and Apple is pushing the iPad as both a PC replacement and a STEM education device. Both efforts are hampered by an inability to run custom apps.

This TechCrunch article really bothers me. They are a tech-specific site, and should not be running the type of headlines you describe. The fact that companies break Apple's guidelines is newsworthy and fine to report on, but if Apple deserves any blame here it should be for making this crap necessary in the first place.

On the one hand, this "journalism" really is disgusting. It is calling for unreasonable censorship. Censoring internal enterprise apps makes as much sense as expecting Apple to police pictures users take with their iPhones.

But on the other hand, Apple really should own their censorship. They decided to take responsibility stuff like this, so they really should be held responsible.

Indeed. What you position yourself as the gatekeeper, you will be held responsible for what gets through the gate. Including things you weren't originally planning to block. Anyone who wants to stop anything will come to you, and you brought it on yourself.

My thoughts exactly. This is also why I felt somewhat conflicted about the stories of tracking apps last week.

If people want to install porn apps on their phones, people should be allowed to install porn apps on their phones. I'm quite fine with Apple shirking their "responsibility" to remove porn apps. It never should have been their responsibility in the first place, and I'd much prefer if they didn't have the ability to police it at all.

> It's become Apple's "responsibility" to police every last corner of iOS?

Why yes , i for one am glad to see them being brought to task to police their own walled gardens to death. In fact i 'll be very happy to see those gardens ending up as a relic of a troublesome sad time for tech

> "Really? We're there now? It's become Apple's "responsibility" to police every last corner of iOS?"

Yes. I think they took that responsibility on themselves, when they decided their devices would be walled gardens under their purview. If you set out to create a totalitarian utopia and want to take credit for the things that go well, you must also take responsibility for when things go wrong.

I agree. Apple doesn't believe in freedom unless it's curated and prescribed by them. You can see this philosophy in their hardware and software design. Which is now why I use Linux, and so should you.

As an iOS developer, I sometimes receive emails from some brazen enterprising person with poor spelling and grammar inquiring about the possibility to "borrow" our company creds for registering an iOS enterprise developer certificate, usually with some nonsense explanation like "helping them out with their beta testing needs" (as if testflight doesn't even exist) and that "it won't impact your app store apps" (ha!).

Of course these emails go straight to the junk folder, but it is very apparent that there is a demand and a black market for iOS enterprise distribution certificates, and people are willing to beg, borrow and probably steal such certificates in any which way they can.

Who is simultaneously a programmer AND dumb enough to fall for that?

It's basically the same as someone randomly emailing you asking for your password.

Dishonest people. Con artists often target the dishonest and greedy; people who understand that something is a pyramid scheme but think they can get out with a profit before it collapses. Or perhaps in this case, somebody who thinks the future business potential for their enterprise cert won't be as profitable as selling use of it to shady people.

> brazen enterprising person with poor spelling and grammar

Oh the horror, If only they used proper English, the intent to steal certs would be some much more tolerable!

It seems ironic to me that the HN crowd seems to support these circumvention of Apple's insular app distribution strategy, but on the other hand also supports Apple's clamp down on efforts to stop privacy violating apps.

For my part, I guess I would prefer that Apple at least open up iOS devices to both the app store and allowing users to install non-App Store apps, the Android model. This would probably satisfy both casual and more tech-savvy users. Unfortunately, I don't see Apple doing this any time as they are all about profits, and this strategy has been working very well so far.

I admit that back when Apple created "Gatekeeper" for OS X, er, macOS, I had high hopes this was laying groundwork that would come to iOS later -- that we'd be able to flip a switch in Settings which allowed us to install signed apps from non-Apple storefronts. Yes, this would potentially reduce Apple's profits (and it's hard not to suspect you're correct in guessing that's why it hasn't happened), but it's hard not to think that most developers would still make their apps available in Apple's storefront the way most Android apps are available on the Google Play store. I still feel like this would solve more problems than it creates not just for users and developers, but for Apple, too.

I don't think there's really any irony here, these are just two different concerns:

- I want Apple to do the job we pay them for and ensure that their store doesn't distribute malware.

- If I buy a device I want to be able to run whatever I want on it.

The question is whether these two goals conflict with each other.

Full freedom to run whatever you want also means being able to install malware.

Well as you said yourself, people should be able to side load whatever they want outside of the official store if they are so willing. The general consensus is that their authoritarian approach on the App Store is a positive for consumers and also for Apples brand. So I don't see any hypocrisy here.

You can't run unsigned apps on an iPhone. No, not even your own. You can't generate a certificate for an iPhone app longer than one week, and even then, the certificate you generate only lets you run code on an iPhone physically connected to the computer where the certificate was generated.

EVERY OTHER way to get a certificate, including for internal development and testing through testflight, requires the app to go through review. Every. Single. One.

It's not simply for putting the app on the app store, it's for running the app at all.

Enterprise certificates were supposed to be a way for a company to avoid shipping their internal tools to Apple, but they turn out to be a way to actually run useful code on an iPhone, even if it's not something Apple wants you to do.

Not quite correct.

Only if you do not have a paid developer account will the app be uninstalled after 7 days. Otherwise the app can stay installed for as long as your account is paid up.

And the phone does not have to be physically connected for it to run.

This more than anything else Apple does, shows quite clearly that you do not own your iPhone, you are paying Apple to be allowed to use it. So you want to run your own program, with no interest in publishing to the App Store or sharing it with others? Sure thing, just pay us $100 a year...

Hmm, is this a recent change?

I mean, I know there have been recent changes in apple's attitude towards enterprise certs, but I've been able to sign internal ad-hoc apps with a developer cert which would last one year (i.e until the provisioning profile expires) with no review.

Granted, you need the unique identifier of the device and it limits you to a certain number per year (100 or 200?), but this still seems different to the situation you are describing.

Fairly sure I did this last year, even. Though admittedly we switched to android at some point, purely because it was too much headache.

> EVERY OTHER way to get a certificate, including for internal development and testing through testflight, requires the app to go through review. Every. Single. One.

Not true.

There is still Ad Hoc distribution, where you can sign the app to run on any device in your developer account (up to 100 iPhones + 100 iPads) and host it for download yourself. The build runs until your developer cert expires (1 year IIRC?)

I believe this is how TestFlight worked before Apple bought them


It seem completely reasonable to believe that there is value in a curated ecosystem and also believe that there should be a mechanism for informed opt-out of that curated eco-system.

It is completely consistent to follow rules whilst opposing them. There are many laws I would like to see repealed but I still follow them.

I've seen at least one company use the Enterprise program to circumvent paying Apple 30%. One company I know preloads their app on an iPad, resells the iPad and associated hardware, and charges a subscription to use the app.

Hell I developed apps for at least two clients that did close enough to this. Is an authorized dealer/installer an employee of the one of the companies whos products they sell? No. Do we need to find ways to get apps to them that aren't relevant to the consumer market. Yes. Enterprise apps are a release valve for the constraints imposed by Apple on the app store, if they clamp down too hard they risk more businesses moving over to android.

That seems entirely legitimate and in no way harms the consumer, which is what the app store is always claiming to prevent.

You bought it, you get to chose what code runs on it, and DRM shouldn't be used to prevent that.

I would highly recommend reading the recent articles about the reasons for Facebook and Google’s certificates being revoked.

It is not because the apps were nefarious.

Did you read what FB apps actually do? Would you put an app on your phone that can record anything you do in any app?

Yes, the app was terrible.

The Apple Enterprise terms simply state you cannot distribute to the general public. It doesn't matter that the app was terrible, the violation itself was much more boring.

> It is not because the apps were nefarious.

The FB app targetted young people and literally installed a VPN profile that routed all internet traffic through Facebook servers.

Essentially full network packet-capture of everyone who installed their app. That's the definition of nefarious.

I did not say the app was not nefarious, I said that their enterprise account was not revoked because the app was nefarious.

The enterprise certificates were revoked primarily because they violated the #1 rule of the enterprise account - do not distribute outside of your company.

The user did decide to install the app, it wasn't forced onto them.

As long as user consented, the app should be allowed to do anything.

They were targeting children, who were not capable of giving informed consent. Furthermore, because they were providing financial rewards for installing the app, it was exploitative of the poor.

Good for them, Apple’s 30% is more akin to extortion than a fair distribution fee.

Seeing that you are and have always been allowed to sell a subscription outside of the App Store and still distribute within the store, you don’t need an enterprise certificate to do that as long as your app meets the guidelines.

Amazon Prime Video, Netflix, Spotify, DirectvNOW, Sling, and quite a few other apps don’t allow in app subscriptions. There are others that you can subscribe to inside or out of the app.

It's technically allowed but not easy unless most of your business is outside of the app.

App store guidelines ban having a link in your app to an external subscription website. They also ban "calls to action" that encourage customers to purchase non in-app purchases

All of my “business” for each of those products is within the app. There has never been a ban about requiring subscriptions outside of the app, you can’t have a link to an outside website that is true.

The only reason they get away with that is because you're willing to sign up and pay at an external website that you can find on your own. Most apps would lose most of their customers at the "now go find our website and how to pay without any help" step.

So in other words, Apple is providing a valuable service and the 30% is a customer acquisition cost?

As opposed to the 60%-70% that software developers use to have to pay retailers?

> So in other words, Apple is providing a valuable service and the 30% is a customer acquisition cost?

According to what Rebelgecko said, it sounds like the only reason Apple's service has any value at all is that they artificially restrict any possible competing payment methods on their devices.

Have other retailers typically allowed you to sell items in their store and pay elsewhere?

Additional specificity might be helpful:

There is nothing wrong with Apple charging a 30% fee on App Store Purchases, or purchases made in-app via Apple's framework. I suspect just about everyone will agree on this point.

The "extortion" part is the complete and total ban on purchases made outside the App Store.

It's not only a distribution fee. Someone had to develop the frameworks, the APIs, the OS and all the other systems that allows for your App to exist. These things aren't free and take resources to make and run. We can argue about the exact % but people often take all the work that goes behind the scene for granted. Same for Youtube and any other platform. We're just so used to having it all for free that we forget the sheer amount of work that goes into making and maintaining the platform.

Ok. But that’s also baked into the cost of the device at sale. If we’re talking about the App Store, bandwidth, redistribution, etc that it provides sure. But .. I don’t agree with your listed examples.

I disagree. Apple works on its development ecosystem in part because they know doing so drives App Store revenue. It's not like "Oh yeah, we build all these dev tools, documentation, and libraries, but that's only because we sell the hardware. If we shut down the App Store tomorrow, we'd keep making all the dev tools with the same level of investment."

I assume this is why there aren't any dev tools, documentation, or libraries available for macOS. Developing for the Mac must be absurdly difficult!

Edit: This was sarcasm.

At the same time, without apps, nobody would buy an iPhone. Apple didn't pull Facebooks app from the store because it would have a huge impact on iPhone sales.

Sell the development tools then and allow people to make their own. Then the market will quickly work out if its worth it or build an open source version.

Most online marketplaces cost 30% - Steam, Google Play, App Store. That doesn’t make it alright, but no one is forcing you to write apps for iOS either.

These examples can be bypassed. You can release a pc game without steam, release an android app without google.

But apple? Nope

Android is not Google Play. You cannot release a Google Play app without paying Google.

No but you can release an Android app without Google. You can't release an Apple app without Apple.

Exactly. You can distribute raw APKs. You can put your app on FDroid. You can put your app on the Amazon Appstore. You can create your own appstore to compete with Google's and Amazon's and FDroid.

There are a lot of problems with Android, but an appstore monopoly isn't one of them.

There are apps that straight up jailbreak your phone distributed under enterprise certificates.

And as the owner of a Jailbroken iPhone, I'm quite happy they exist!

> Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.


Are you jokingly referring to the fact that they were flouting (ie, ignoring) the rules, while the article seems to say that they were ostentatiously displaying (ie, flaunting) the rules?

Or are you just saying that it's good thing that they could operate apps against Apple's rules?

It's good that they challenge the walled garden approach and Apple's particular brand of moralism.

I don't need porn or gambling on my phone. I think it's entirely reasonable for adults to make that choice.

FWIW, I think the article's use of the word ‘flaunting’ was malapropism and not deliberate word-play.

There is no reason to respect Apple’s authority

We’ve been slowly moving away from enterprise certificates at our customers and using the “Custom Business Apps” route in Apple’s app store instead. It is a much more streamlined experience, no certificates to worry about and easier distribution. You will have to deal with app review but so far this has not been a problem at all.

We’ve also seen Apple deny requests for enterprise certificates without reason (and they wouldn’t give it after asking), which makes me think they might even want to get rid of this channel in the long term.

I'm still not entirely sure why Apple cares about porn, they have people credit card information, that should be sufficient for age verification, in most cases. Gambling may provide Apple with some legal issues in most countries.

It's clearly a large market, and with 30% percent cut of subscriptions, it could be a lucrative business for Apple.

They like to tightly control the message with regards to their brand, and that's one of clean, white, bleached happiness.

This stance has also hurt them with original content. A lot of great original content on other networks has had graphic violence or nudity, and they've stayed away, instead pushing bland shows that nobody seems to care about.

Maybe that'll change. But I'm not holding my breath, because I think this is a core value coming straight from Tim Cook.

I think it's a little too early to definitively say that Apple's forthcoming video streaming service only has "bland shows that nobody seems to care about," given that we haven't actually seen any of those shows yet. (Remember, "Carpool Karaoke" and "Planet of the Apps" predate this planned service and the hiring of ex-Sony execs to oversee it.) There are conflicting reports about whether that service will allow over PG-13 content, and if it doesn't, then sure, that's potentially a problem -- it limits what creators are going to be able to do, which in turn may limit the creators you can attract. But given that 18 of the top 20 box office hits of 2018 were PG or PG-13, it's pretty clear you can make content that people care strongly about within those limitations.

But do enough people want to subscribe to a service that doesn't have any edgy content? (No drug use, no graphic violence, no sex, no political documentaries).

Well, two responses come to mind.

First, a bit flippantly: I bet Disney's services are going to do just fine. :)

Second, less flippantly: I'm not sure we should conflate "no R/X/MA material" with "nothing edgy," nor should we necessarily conflate "edgy" with "interesting." And, again, we don't really know what limits Apple has put on creators for this service; they have some pretty big names lined up in terms of writers, directors, stars, and properties. It's certainly true that a fair amount of what they're producing sounds explicitly family-friendly, but being able to say "we have original programming created for us by Sesame Workshop, Peanuts Worldwide, and Oprah Winfrey" seems like it could carry some weight. (And I'm personally interested in several of the more adult-sounding science fiction shows.)

It's all about the Apple brand. The average consumer conflates iOS apps with Apple and Apple does not want even remote association with vice related content.

> The average consumer conflates iOS apps with Apple

More then 1 person assumed I worked for Apple when I told them I was developing iOS apps; so you are totally right!

You cannot determine someone's age by the fact that they have/use a credit card. Teenagers can have credit cards.

> Teenagers can have credit cards.

Someone who is at least 18 may have a credit card, but not younger. Someone under 18 can be issued a debit card (with some constraints about account type and needing a parent on the account), but not a credit card in their name.

> I'm still not entirely sure why Apple cares about porn


And before 2018?

Ah, yes, we should all bow and curtsey to the TechCrunch's journalist's idea of Apple's responsibility. Apple should immediately start cracking down on what users decide to run on their devices, and lick this journalist's boots for his generous thoughts on the matter.

I feel like the answer here is simple: Apple removes the apps and monitors this stuff more strictly in the future. The creators of the apps make progressive web apps.

Progressive web apps which unfortunately don't work on iOS.

Safari supports them now. Not the full API, but enough for a porn or gambling app to get by (but then, so is a non-progressive web app, I'm not sure what they're doing that really warrants a native app)

Push notifications, most likely


Seems like you're confusing a number of things here. Progressive web apps can be cached offline and load instantly. They typically have smaller download sizes than native apps. There's zero reason for a PWA to take longer to load than a web page because a PWA is a web page. Perhaps your complaint is with Single Page Apps? That's a legitimate complaint, but doesn't really have a lot to do with PWAs.

> they don't even give a shit about Responsive designs.

Users don't know what "responsive design is". But conversion stats for sites that have a specific mobile layout vs ones where you're pinch-and-zooming constantly show that users are a lot more productive on sites with a mobile view.

The first experience is crucial, according to Google 51% of your visitors will leave if they don't see content within the first 5 seconds.

Then you tell people, yeah but its okay to do this the first time, then the second time they come to your PWA, it will load super fast!

Except it's not at all fast because it turns out cellular network is spotty so not everyone experiences/reports the same experience, it turns jaded users who feel discriminated because they don't have a thousand dollar phone that can render their PWA jank free.

There's an Application in PWA somewhere I'm sure of it.

You are right about conversion rates but I was specifically talking about online shoppers for a specific niche to demonstrate the extreme case where people are fine with what they have and rather not see changes they need to . relearn.

But PWAs don't slow down page loads. I feel like I'm going insane that I have to point this out again and again. The first load of a PWA is the load of a web page, nothing more, nothing less. After that, the PWA can cache assets for next load. If the page loads slowly it's because it's a crappily made page, not because it's a PWA.

Progressive web apps can be cached offline and load instantly

They only load instantly once they've been cached. Until then, it's Grey Rectangle City, and the user moves on.

Yeah, on first load they load... like a web page. Because they are a web page. "Grey rectangle city" is not something a progressive web app does unless the creator of the app tells it to. Like I said, it sounds like the complaint is with single page apps, not with progressive web apps.

I guess I'm not sure what the preferred alternative is here? First load of a native app involves going to an app store and downloading a multi-megabyte app. A PWA involves loading a normal web site, then once it has loaded, cache resources to allow instant loading in the future. I know which one of those two I'd prefer.


You seriously think going to an App Store, searching for an app, waiting for it to download 10s of megabytes (potentially over a slow connection), and then opening the app is a better experience than opening a web page?

I have no idea what your quoted passage is, by the way. If one of the complaints in there is "it took a whole 5 seconds to download", how on earth is the App Store alternative better? There's literally zero chance of getting an App Store app downloaded and opened in 5 seconds.

Are you just tempting the moderators here by using their names in highly offensive fake comments?

Check the profile. Maybe it's malice, but I think they have some problems..

This argument is non-sensical. The counter-point of this argument is downloading an App from the App Store, which is usually a 50MB+ download, which is worse then "Grey Rectangle City". I'm on a flight right now, and I'd rather use a PWA over airplane wifi then try to download a full app from the App Store. You're proposing that a 50MB+ download is somehow way better than a <1MB download and I don't buy that.. especially on slow networks.

This measurement of size is irrelevant. With application you get everything you need, none of the data needs to be lazy loaded or trick the user somehow to make up for the connection latency, hence "Rectangle city"

The PWA file sizes can easily surpass 50mb but the difference is it gets it intermittently and this depends on a uninterrupted cellular connection (the specific demographic PWA is targetting which is mobile) ends up producing an inferior experience to just downloading an app and it's not all tall order, phones now have crazy amount of storage and insanely fast WIFI.

Sure it would be nice to order condoms online from Amazon's PWA while waiting for my starbucks, but I could've easily satisfied my impulses in front of a PC.

The seamless omni-channel bullshit google is selling to retailers is not going well, which seemingly are there target market to counter Amazon's dominance in e-commerce.

Google has royally fucked up by eroding trust via AMP and have hurt the PWA intiative with poor timing. It's 10 years too early.

I also hate AMP, but I still disagree that downloading an app is better than using the browser (on a slow connection). If I already have the app, great— but I don’t want to download every app on earth “just in case”.

> Yeah, if the entire world was on 5g already

Even if the world was, I still wouldn't like it. Lightweight webpages are infinitely superior. Data is still expensive, particularly for those of us who can't afford unlimited.

Why cant we have porn or gambling apps on our iPhone though... cmon apple.

I get that you don’t want them in the store but at least add an adult store or something

>Apple offers a lookup tool for finding any business’ D-U-N-S number, allowing shady developers to forge their Enterprise Certificate application.

no kidding. Next would be DNB itself : https://www.dnb.com/duns-number/lookup.html

While DUNS are practically "SSN for enterprises", Techcrunch probably thinks that DUNS are used as a security-by-obscurity tool/measure in the same way as SSN is used. Fortunately for all of us - it isnt.

How thoughtful of TechCrunch to include a list of URLs for all of the porn and gambling apps they found.

(Seriously, I find that editorial decision pretty surprising. The table of certificate holders and their types of business seems journalistically relevant; download links maybe less so.)

In the age where anyone can say “fake news” and immediately cast doubt on the veracity of a journalist’s claims, it makes sense to be super transparent here.

They say this like it's a bad thing.

Since this is an option that seems to get ignored in these discussions, if you are an end user and you want to use unsigned apps, jailbreaking your device allows you to do this.

After jailbreaking, you can use a third party App Store like Cydia to find and install unsigned apps.


Doing this does not prevent you from using Apple's App Store or it's apps.

Jailbreaking often voids your warranty.

If it's already out of warranty,then ok. But know the risks.

It's no more difficult to restore the device to factory defaults than it is to jailbreak it.


There is a huge aftermarket for iOS Entreprise certificates. They either get stolen or attacker get their hands on the users credentials.

Mobile Safari is the worst offender.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact