The term bad actor refers to an individual(s) who is unruly, turbulent, contentious, and a troublemaker. The term bad actors has recently come into more common use, thanks to current cybersecurity and privacy issues. Bad actors are often blamed for major credit card hacks as well as phishing and email scams. Now, bad actors are being blamed for finding a way to distribute pirated iOS apps to iOS users.
The pirated apps being circulated include Spotify, Angry Birds, Pokémon GO, and Minecraft. The bad actors, whom Reuters calls “illicit software distributors,” include TutuApp, Panda Helper, AppValley, and TweakBox. These distributors have found a way to access digital developer certificates meant for legitimate businesses to distribute apps to their employees en masse.
These distributors are able to provide full versions of legitimate apps that are stripped of their revenue source, such as in-app ads. This is clearly a violation of Apple’s App Store and developer rules. Reuters says that Apple does not have a way to track the real-time distribution of the certificates or pirated apps. It can cancel a certificate should it find one that is being misused. These are the same certificates Google and Facebook were misusing to distribute testing apps to users.
Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.Apple Spokesperson – Via Reuters
You may be tempted to go find these third-party distributors to get a few pirated apps, but be warned. Since these apps are not going through Apple’s App Store screening, there is a higher chance they may contain malware or tracking software.
After Reuters initially contacted Apple for comment last week, some of the pirates were banned from the system, but within days they were using different certificates and were operational again.
Apple confirmed a media report on Wednesday that it would require two-factor authentication – using a code sent to a phone as well as a password – to log into all developer accounts by the end of this month, which could help prevent certificate misuse.Reuters