Hacker News new | past | comments | ask | show | jobs | submit login
Illicit iPhone App Store Has Been Hiding in Plain Sight (theverge.com)
44 points by plasticchris 31 days ago | hide | past | web | favorite | 61 comments

This is a little worrisome and I think it's a bit irresponsible of The Verge to be publishing something like this without being clearer about what potential issues and vulnerabilities something like this could expose. They're making it sound like such a great thing without even attempting to talk through what possible attack vectors this exposes and what this could do to someone's device. "so long as you’re willing to hand the keys to your security and privacy to an unknown, likely China-based entity" doesn't cover it well enough, in my opinion. They need to give examples. This only highlights the disconnect in technology of people who know "how to use devices" but not how those devices work.

I disagree, and almost take exactly the opposite stance. I think it is a great thing, there are many apps on these app stores which are useful that apple would never allow. It is good to have alternative options.

I look at the wording of the title of this Verge article (and a few others that come out lately) and see it as another example of media spreading fear through unnecessarily alarming titles.

In reality, the risks are no different from manually installing an APK on Android, which noone has kicked up a fuss about.

That's not true at all. You're giving a random developer with whom you have no pre-established relationship, and allowing them to install an enterprise-level certificate on your device. You're giving them the ability to do all kinds of things with your device, either intentionally or unintentionally, that you'd never have if you were side loading the app yourself. There's a reason that sideloading apps typically isn't a single-tap.

In other words, there are no useful apps on these stores because you have no idea of really knowing what their use is. Considering that they're already coming from nefarious sources, there's no reason to believe they're not a trojan horse for something worse.

Again, these are all things that a sideloaded APK on Android could do, without requiring an enterprise certificate, and requiring fewer steps.

I consider the phone to be firmly mine when I pay almost $1,000+ for it, and I want to be able to install whatever applications I want, not what Apple says I can have.

You've applied the term "nefarious sources" to a third party app store, to which I disagree. Do you take the same approach with your laptop? Can you download an exe or app from third party websites without having to go through a manufacturer approval process? I

Yes, this is all something you could do with a sideloaded APK. What I'm complaining about is the lax job that the Verge has done in explaining the implications of installing these certs and/or sideloading an APK. While it's not an insurmountable task, most people who sideload APKs on Android know the risks involved and need some level of proficiency in order to get to the end goal. I'm not opposed to people doing that but I am concerned that they might do that because they've been told they can get "free apps" or "apps that aren't on the App Store" without understanding any of the implications of what's happening when they go down that road.

Your phone is yours. Absolutely. No question. In the age of big data, security breaches, and identity theft, though, we shouldn't expect or want to make technology so stupidly easy that people unwittingly give up their privacy and security simply because they didn't know any better. And I know the old adage about "inventing a better idiot" but that's not what I'm concerned about here. I'm concerned about responsible disclosure of the information here. The downside is a few more inconvenient steps for people who would legitimately need to sideload or use a certificate like this while the upside is the ability for a non-savvy user to trust the technology in their hands.

What apps do you consider useful and safe on that store?

I consider that argument irrelevant. I shouldn't have to justify the apps that I want to use to you or my phones manufacturer, just know that there are (or maybe) other apps that I wish to install, that Apple (or you) may not necessarily approve of.

When I pay $1,000+ on a phone, I don't want its usefulness to be restricted to what Apple says I can do with it.

>When I pay $1,000+ on a phone, I don't want its usefulness to be restricted to what Apple says I can do with it.

Then don't buy an iPhone. It's not like you're paying that much money and then Apple is switching the phone out after you've paid. You're buying the device with the knowledge that it operates within Apple's walled garden before you ever take possession of it.

“It’s not clear what permissions you’re granting”. If they’re installing enterprise certs then you’re granting all the permissions, plus I’m sure a few no app in the store is going to be granted by Apple.

I think what they meant is that it's not clear to the average non technical user. It's clear to the average HN reader.

For 20+ years, in GUI design, it's been proven that if you present users with a challenge/warning prompt they will do whatever is necessary to click "yes/ok/i understand/install this thing" to accomplish what they think is their goal.

It would be worth having a deeply buried toggle within the iOS UI that you can change, if you're an actual developer. Otherwise installing an enterprise certificate on iOS should have larger, scarier, more time consuming and more difficult to bypass warnings.

>they will do whatever is necessary to accomplish what they think is their goal.

This is exactly my concern. As someone who had to deal with people jailbreaking their phones without any knowledge of what they were doing, this is exactly what I think the issue is. The difference is that, in this case, there's credible evidence to suggest that this is a data-mining operation in disguise and people will unknowingly allow it to get "free apps".

Enterprise certificates still need to ask for permission to access the camera, microphone, etc. But you're right: they can use entitlements that Apple will not grant normal App Store apps.

What? Enterprise profiles are only allowed the set of entitlements that they are granted, similar to the App Store.

Yes and most people who stumble upon this to get "free apps" are just going to allow all entitlements without really knowing what that means.

No, the entitlements are granted by Apple, not the user. It's not the same thing as the prompts you get for e.g. the Camera.

Right... but that's the case here. People are installing certs that grant all entitlements, a completely valid situation for someone using the certs as intended but not for someone unknowingly doing so. Apple is removing the certs whenever they can but that can't possibly cover every situation.

Mhm, and you can add any entitlements that Apple is willing to let you sign. Not all of these are allowed in App Store apps.

As an iOS developer, we get crash reports from the buggy ad libraries injected by these app stores all the time. Googling the injected library names actually come up with surprisingly few results (mostly from the pirate community itself like /r/sideloaded) so I don't know how many developers are aware of this

Are you building an app X that crashes because of a library installed by app Y?

I imagine that installing via Enterprise Certs doesn't remove the sandboxing around Y...

Can you please elaborate on what's actually happening?

A lot of sideloaded apps are normal app store apps with "tweaks" applied to them: think Snapchat that lets you keep images, or YouTube with no ads. Sometimes, these resigned apps have malware or ad libraries built into them.

Oh I think I understand the parent better now: he is the author of app X, and someone releases X' which is X with bogus libs/ads/etc with the Enterprise Cert.

The user of X' reports bugs to him/her as if it was legit X running, so he gets reports that don't really come from his/her app.

Yes! Except usually the bug reporting is automatic, and nobody bothers to disable this behavior when modifying the apps.

That was my understanding, hence my question. I don't understand how such app can affect another app (which is what the parent was complaining about I think).

Also I'm confused as to why my question was downvoted... I'm a dev too who's released a few sandboxed apps (on iOS and macOS) and would like to understand if there is a vulnerability in the sandbox somewhere. Seems like this would be useful to understand for many devs.

No, there's no vulnerability in the sandbox. What is happening is that people are grabbing copies of an app, adding code to it (usually, by adding a new dynamic library and forcing the main binary to load it), and then distributing the modified app outside of the App Store. Any crashes in the modified app will still be reported to the original app developer, since aside from the small (or maybe not so small?) tweaks that were made the app functions like it normally would.

Aren't the crash-logging identity of the app, the sandboxing, the developer's identity and the code signing certificate all locked together?

I'm pretty sure everything is just linked to the bundle identifier.

All of this could be prevented if Apple allowed sideloading unappoved, but non-security threatening apps. Like when the Steam gaming app that posed zero security threats, that I very much want to use, got banned by Apple for posing a competitive threat!

You can if you sign it with your own, free, certificate. It will just expire quickly if free and require constant updating but surely that's an acceptable price to pay.

Can you please elaborate on this. Can a developer distribute iOS apps signed with their own certificate, that iOS will seamlessly allow to install and run?

No. They can install it on their own device, and others can sign with their own certificate and install.

Just Google "sideload iOS apps without jailbreak", you'll find all the guides you need.

Yes, but it requires work (namely UDID registration, and there are limits to this).

That's not sideloading, is it? It is just developer workflow to enable testing with a wider audience without actually submitting to the app store.

By sideloading, I mean the ability to install and run a binary downloaded off the internet. Mac OS allows this, but does put a prompt out. Android allows this as well. No certs, no UDID etc.

How do you determine if it's non-security threatening, though? Isn't that considered an approval process?

One way is to explicitly prompt the permission-requests prior to actual syscall invocation (as against at install time). The user can then choose to approve or deny. For instance, if a file-manager app is asking to read your SMS, you can opt to deny the permission, unless you're willing to risk the app misusing your data. What they do on the Mac is also acceptable - where they warn you about running apps from unapproved publishers.

This is how the iPhone has worked since 2008.

No - there is NO sideloading allowed on the iPhone

This isn't true. Developer-signed applications can be sideloaded on iOS.

Where is the problem? If users install enterprise certificates despite the shown warnings, they want to take the risk.

These are the warnings you get: https://support.apple.com/en-us/HT204460. I don't think this adequately describes the potential risk.

OK, the warning could perhaps be better designed.

But I still don't see the huge problem:

"Trusted" has a very strong meaning when used for any computing device. So this is already a really, really strong warning sign (safeguard 1). Next, you explicitly have to go to the settings to manually trust the certificate (safeguard 2). This gives you a lot of time (i.e. you don't accidentally "click/touch OK") to inform yourself intensively of the consequences of the decision (safeguard 3). Even after that according to this link (no screenshot is shown), you explicitly have to confirm your decision again (safeguard 4). Now according to this link, you have to install the apps from the now-trusted developer manually (safeguard 5).

So I see at least 5 levels of safeguards that Apple introduced.

Illicit? What law or statute was broken? Breaking Apple's TOS still is, afaik, not illicit or illegal. Has this changed recently? Has someone been prosecuted under the CFAA or other law for breaking a company's TOS? Last I heard, it still wasn't illicit and the issue has not been heard by the Supremes: https://www.eff.org/deeplinks/2018/01/ninth-circuit-doubles-...

Talk about inaccurate, bad reporting...

From the description, it seems it certainly is an (illicit app) store.

Also, ‘illicit’ doesn’t necessarily mean “unlawful”. https://www.merriam-webster.com/dictionary/illicit#synonyms also mentions “not permitted”, and Apple doesn’t permit you to use an enterprise certificate in this way.

By that definition, Apple's own store is illicit because I don't permit any apps from it. Except that Apple does permit these stores to exist so by that exact definition they are not illicit. Either way, it doesn't make sense, it's confusing, and it's shitty, inaccurate writing.

Wait, so you shouldn't have rights to a device you paid for?

Yeah, you're not going to sell me on this line of bullshit. The amount of money you pay for an apple is a fucking purchase. So why do they maintain control of it? Eh?

They call this illicit but actually, this to me seems to be a valid use of the technology. The only reason Apple has to prevent this is to maintain the walled garden.

The only reason it is even 'illicit' is Apple arbitrarily determines what may or may run on iOS. It's not illicit when PC software does something Microsoft doesn't like. The Amazon App Store isn't an illicit app store and apps downloaded from there aren't illicit compared to Google's app store. It's all just arbitrary, including their rules for what is allowed:


This historical version is my favorite in which Apple try to suppress negative press by threatening developers who fall victim to arbitrary rejections - "If you run to the press and trash us, it never helps."


Seriously, the "only reason"?

Once someone has bought an iPhone from Apple, it's no longer Apple's phone. Apple no longer owns it. If the owner of the phone (who is, again, not Apple) wishes to trust only Apple-approved software, that is 100% his choice. But if he wishes to install software that Apple doesn't approve of, that's also a 100% legitimate choice.

Sorry for all the emphasis, but this stuff is important. Once a manufacturer has sold a product, it no longer has any claim to it — none. It belongs to the purchaser, who is the sole owner.

OK but what does this have to do with the original point? There are plenty of reasons why Apple might want to prevent pirated app stores from being used on their devices: legal, ethical and sure, financial. But "keeping people in their walled garden" isn't the _only_ reason, is it?

When I jailbroke my iPhone 3G back in the day, Cydia was chalk full of amazing, useful applications that extended the capabilities of my phone. I was actually able to run Pandora in the background while using other apps. At that time, background apps would not continue playing music, and probably could not do much else either. I had dashboards and quick launchers at the time when Apple didn't allow those things. I didn't pirate a single piece of software. It did let me use free software and apps that were not in the App store.

It's well known that there were some sketchy apps in there. But how was that any different from having a Linux or Windows desktop where in you can install whatever you want? I believe that the financial motivation (the walled garden) is the biggest one, but maybe not the only one.

While it's definitely the biggest incentive, there's also a customer-focus piece. I used to do third-party repairs for these devices and I can't tell you the number of people that would get mad at me and/or Apple because they jailbroke their phone and then did something to brick it. They had someone else jailbreak it for them, so they had no understanding of what had actually been done, and then they attempted to run updates that broke them. When people expect support, it makes sense to me that Apple would want to prevent those types of situations from occurring when they're the ones that have to deal with people who don't know or understand what they've done.

I think you're limiting the use to "pirated app stores" yourself. There are other apps on those app stores, ones that Apple wouldn't approve, but are still useful.

Taking away the question of whether Apple has the right to determine what is moral or ethical (I argue that they don't), I agree with the op in that the primary reason is to maintain the walled garden.

OP didn't say "primary reason"... OP said "only reason", and that is what the person you replied to is arguing against. While it may be the primary reason, it's not the _only_ reason.

> OK but what does this have to do with the original point? There are plenty of reasons why Apple might want to prevent pirated app stores from being used on their devices: legal, ethical and sure, financial.

That was my whole point: once sold, those phones are no longer Apple's devices. Apple has absolutely no legitimate say in what the new owners choose to do with those phones. Nor does Apple have any legal or ethical exposure to what the new owners do with their phones: that is the owners' liability.

Now, the owners may wish to enter an arrangement with Apple, and Apple may only choose to enter into that arrangement if the owners do certain things or refrain from doing certain things. That's completely fair.

What's not fair is 'selling' someone a device, but retaining ownership of it. That's not a sale; it's a lease.

Can you think of another one?

> There are plenty of reasons why Apple might want to prevent pirated app stores from being used on their devices: legal, ethical and sure, financial.

The comment you were replying to mentioned two others, right there...

Most expensive phones, however, are not purchased by the consumer but rather financed via contract, which means the phone technically belongs to the phone company - and they usually disallow jailbreaking or any other thing that would void the manufacturer warranty.

That's irrelevant. If the phone carrier wants to lock those phones down, fine, though Apple has typically fought against carrier mods.

However the same App Store policies apply to all iPhone owners, regardless of how it was purchased.

Terrifying that you could download apps that aren't in the official store. Why, it's almost like having an Android

It's not great that you have to ruin security and install an enterprise cert to do this, but that's just the inevitable result of excessively locked down systems.

With Apple, if the adversary is a nation state that is willing to fight to affect it's bottom line, Apple just falls in line, like an obedient lap dog. Cases in point: China iCloud & Saudi app that tracks women - in both cases Apple did what the respective governments demanded, while making a show of force in America over the FBI's request to unlock an actual terrorist's phone.

In this case, things can get interesting if these companies have Chinese government backing. WeChat went through a similar fight with Apple, where Apple was trying to shove it's app store guidelines as justification for denying extensions on WeChat, but as usual, Apple curled up in the corner the moment there Chinese government got involved.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact