Apple claims to have very tight control over their app store. I don’t agree with this. After all, even when alerted of a major hack, Apple went 6 months without making any attempt to fix it. Regardless of this, it is a common perception that the Apple App Store is safer than other’s out there. Further proof of what the Apple media machine can do.
It is my personal opinion, that Apple is not too quick to fix these flaws, because it is not affecting their income. After all, hack after hack, even hacks that obtained major media attention like the Fappening, has done nothing to slow the sale of iPhones.
What happens when one of these flaws begin to cut in to Apple’s cash flow? Will we see Apple leap to correct the issue? Or will it remain on the back burner like other exploits which leave the user at risk? We are about to find out. You see, there’s a
new flaw that will be taking income away from Apple’s App Store.
Welcome to a free Apple App Store, where users can download paid apps for free, with an iPhone that doesn’t need to be jailbroken. vShare is an app store registered in Shanghai, where users can download apps such as Minecraft: Pocket Edition which costs $6.99 on the Apple App Store without paying Apple a dime. Popular apps such as Minecraft have been “liked” by downloaders in excess of 1.4 million times. Developers are of course taking the biggest hit with this loss due to pirated apps, but with Apple receiving a 30% share of revenue from paid apps, there could be a rather large potential loss to Apple. And Apple doesn’t like to lose money.
How are people downloading these pirated apps to a locked down iPhone with no jailbreak? Thanks to Apple’s own Apple Developer Enterprise program. With this program, companies that pay Apple $299 a year are able to install their own apps on their employees phones without going through the app store through the use of a trusted certificate. It appears that vShare is cycling through four of these trusted certificates enabling users to download these pirated apps.
Oddly enough, this is not the first time we have seen this process being misused. The second Masque Attack used the same process to put malware on iPhones. There is no indication at this point that vShare is dispersing malware to users, but of course the transport is already there.
Apple made no changes to this trusted security certificate process after Masque Attack 2. With this misuse of the process, Apple is seeing a financial loss. Is this what it takes for Apple to plug the hole in it’s walled garden? Time will tell.