Connect with us

Gaming

Apple fails to block porn & gambling ‘Enterprise’ apps – TechCrunch

Published

on

Facebook and Google were far from the only developers openly abusing Apple’s Enterprise Certificate program meant for companies offering employee-only apps. A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple’s oversight. The developers passed Apple’s weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino’s traditional safeguards designed to keep iOS family-friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.

The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program, leading to its exploitation to circumvent App Store rules and forbidden categories. For a company whose CEO Tim Cook frequently criticizes its competitors for data misuse and policy fiascos like Facebook’s Cambridge Analytica, Apple’s failure to catch and block these porn and gambling demonstrates it has work to do itself.

Porn apps PPAV and iPorn (iP) continue to abuse Apple’s Enterprise Certificate program to sidestep the App Store’s ban on pornography. Nudity censored by TechCrunch

 

TechCrunch broke the news last week that Facebook and Google had broken the rules of Apple’s Enterprise Certificate program to distribute apps that installed VPNs or demanded root network access to collect all of a user’s traffic and phone activity for competitive intelligence. That led Apple to briefly revoke Facebook and Google’s Certificates, thereby disabling the companies’ legitimate employee-only apps, which caused office chaos.

Apple issued a fiery statement that “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” Meanwhile, dozens of prohibited apps were available for download from shady developers’ websites.

Apple offers a lookup tool for finding any business’ D-U-N-S number, allowing shady developers to forge their Enterprise Certificate application

The problem starts with Apple’s lax standards for accepting businesses to the enterprise program. The program is for companies to distribute apps only to their employees, and its policy explicitly states “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers.” Yet Apple doesn’t adequately enforce these policies.

Developers simply have to fill out an online form and pay $299 to Apple, as detailed in this guide from Calvium. The form merely asks developers to pledge they’re building an Enterprise Certificate app for internal employee-only use, that they have the legal authority to register the business, provide a D-U-N-S business ID number and have an up to date Mac. You can easily Google a business’ address details and look up their D-U-N-S ID number with a tool Apple provides. After setting up an Apple ID and agreeing to its terms of service, businesses wait one to four weeks for a phone call from Apple asking them to reconfirm they’ll only distribute apps internally and are authorized to represent their business.

With just a few lies on the phone and web plus some Googleable public information, sketchy developers can get approved for an Apple Enterprise Certificate.

Real-money gambling apps openly advertise that they have iOS versions available that abuse the Enterprise Certificate program

Given the number of policy-violating apps that are being distributed to non-employees using registrations for businesses unrelated to their apps, it’s clear that Apple needs to tighten the oversight on the Enterprise Certificate program. TechCrunch found thousands of sites offering downloads of “sideloaded” Enterprise apps, and investigating just a sample uncovered numerous abuses. Using a standard un-jailbroken iPhone. TechCrunch was able to download and verify 12 pornography and 12 real-money gambling apps over the past week that were abusing Apple’s Enterprise Certificate system to offer apps prohibited from the App Store. These apps either offered streaming or pay-per-view hardcore pornography, or allowed users to deposit, win and withdraw real money — all of which would be prohibited if the apps were distributed through the App Store.

A whole screen of prohibited sideloaded porn and gambling apps TechCrunch was able to download through the Enterprise Certificate system

In an apparent effort to step up policy enforcement in the wake of TechCrunch’s investigation into Facebook and Google’s Enterprise Certificate violations, Apple appears to have disabled some of these apps in the past few days, but many remain operational. The porn apps that we discovered which are currently functional include Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow and AVBobo, while the currently functional gambling apps include RD Poker and RiverPoker.

The Enterprise Certificates for these apps were rarely registered to company names related to their true purpose. The only example was Lucky8 for gambling. Many of the apps used innocuous names like Interprener, Mohajer International Communications, Sungate and AsianLiveTech. Yet others seemed to have forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses. Dragon Gaming was registered to U.S. gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet & Furniture Co.

You can see a full list of the policy-violating apps we found:

Apple refused to explain how these apps slipped into the Enterprise Certificate app program. It declined to say if it does any follow-up compliance audits on developers in the program or if it plans to change admission process. An Apple spokesperson did provide this statement, though, indicating it will work to shut down these apps and potentially ban the developers from building iOS products entirely:

“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

TechCrunch asked Guardian Mobile Firewall’s security expert Will Strafach to look at the apps we found and their Certificates. Strafach’s initial analysis of the apps didn’t find any glaring evidence that the apps misappropriate data, but they all do violate Apple’s Certificate policies and provide content banned from the App Store. “At the moment, I have noticed that action is slower regarding apps available from an independent website and not these easy-to-scrape app directories” that occasionally crop up offering centralized access to a plethora of sideloaded apps.

Porn app AVBobo uses an Enterprise Certificate registered to Fresno’s Chaney Cabinet & Furniture Co

Strafach explained how “A significant number of the Enterprise Certificates used to sign publicly available apps are referred to informally as ‘rogue certificates’ as they are often not associated with the named company. There are no hard facts to confirm the manner in which these certificates originate, but the result of the initial step is that individuals will gain control of an Enterprise Certificate attributable to a corporation, usually China/HK-based. Code services are then sold quietly on Chinese language marketplaces, resulting in sometimes 5 to 10 (or more) distinct apps being signed with the same Enterprise Certificate.” We found Sungate and Mohajer Certificates were farmed out for use by multiple apps in this way.

“In my experience, Enterprise Certificate signed apps available on independent websites have not been harmful to users in a malicious sense, only in the sense that they have broken the rules,” Strafach notes. “Enterprise Certificate signed apps from these Chinese ‘helper’ tools, however, have been a mixed bag. Zoe example, in multiple cases, we have noticed such apps with additional tracking and adware code injected into the original now-repackaged app being offered.”

Porn apps like Swag openly advertise their availability on iOS

Interestingly, none of the off-limits apps we discovered asked users to install a VPN like Google Screenwise, let alone root network access like Facebook Research. TechCrunch reported this month that both apps had been paying users to snoop on their private data. But the iOS versions were banned by Apple after we exposed their policy violations, and Apple also caused chaos at Facebook and Google’s offices by temporarily shutting down their employee-only iOS apps too. The fact that these two U.S. tech giants were more aggressive about collecting user data than shady Chinese porn and gambling apps is telling. “This is a cat-and-mouse game,” Strafach concluded regarding Apple’s struggle to keep out these apps. But given the rampant abuse, it seems Apple could easily add stronger verification processes and more check-ups to the Enterprise Certificate program. Developers should have to do more to prove their apps’ connection with the Certificate holder, and Apple should regularly audit certificates to see what kind of apps they’re powering.

Back when Facebook missed Cambridge Analytica’s abuse of its app platform, Cook was asked what he’d do in Mark Zuckerberg’s shoes. “I wouldn’t be in this situation” Cook frankly replied. But if Apple can’t keep porn and casinos off iOS, perhaps Cook shouldn’t be lecturing anyone else.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Gaming

It’s the battle of the alien symbiotes in Venom: Let There Be Carnage trailer

Published

on

Tom Hardy returns to the big screen as the lethal protector Venom, taking on Woody Harrelson’s villainous Cletus Kasady/Carnage, in Sony’s forthcoming film Venom: Let There Be Carnage.

Tom Hardy (Mad Max: Fury Road) returns as intrepid reporter Eddie Brock, infected with a parasitic alien symbiote that gives him super powers, in Venom: There Will be Carnage. Directed by motion-capture icon Andy Serkis, it’s the sequel to 2018’s box-office smash, Venom. After being delayed for nearly a year due to the ongoing pandemic, Sony just dropped the official trailer, in which Brock/Venom must battle serial killer Cletus Kasady (Woody Harrelson, Zombieland), infected with another alien symbiote dubbed Carnage.

(Some spoilers for first film below.)

A Venom film was in development at New Line Cinema back in 1997, although the project didn’t really get off the ground until Sony acquired the rights to the character, as well as Spider-Man. Sony initially planned for Venom and Spider-Man to inhabit a shared universe, given their history in the comics. (Spider-Man was Venom’s first host, before moving on to Brock, and the character gradually evolved from villain to more of an antihero.) The disappointing box office performance of 2014’s The Amazing Spider-Man 2 changed those plans, and Venom was re-conceived as a standalone film, with Tom Hardy signing on as the star and Zombieland director Ruben Fleischer agreeing to direct.

That first film served as an origin story for our antihero. A bioengineering firm called the Life Foundation discovered a comet covered with symbiotic lifeforms and brought four samples back to Earth. Brock’s then-fiancée, Anne Weying (Michelle Williams, Fosse/Verdon), shows him classified documents revealing that the foundation is conducting human/symbiote experiments. The symbiotes need oxygen-breathing hosts to survive, but they invariably end up killing those hosts.

Hot on the story, Brock breaks into the research lab and ends up infected with one of the symbiotes, named Venom. Venom reveals that the symbiotes are intent on taking over Earth by possessing/devouring all humans, but Brock ultimately strikes up a bargain with Venom, and they decide to protect Earth instead. Together, they take on Life Foundation CEO Carlton Drake (Riz Ahmed, Sound of Metal), infected with a symbiote called Riot.

Venom was released in October 2018 and was roundly panned by critics, several of whom specifically bemoaned the lack of a Spider-Man connection. Audiences, however, begged to differ. Venom racked up $856 million globally and was the seventh-highest grossing film of the year. Hardy had already committed to two sequels, and a midcredits sequence featured Harrelson’s Cletus Kasady taunting Brock (who is interviewing Kasady for a story) from his cell. Kasady vows to escape and bring “carnage,” leaving little doubt as to the villain’s identity in a sequel.

Audiences particularly responded to the burgeoning relationship between Brock and Venom, who remained secretly bonded at the film’s end as a kind of hybrid vigilante. One scene in particular—Venom giving Brock a lingering French kiss while transferring from Anne’s body back to Brock’s—launched a thousand ships for “Symbrock.” Sony embraced the fan response by marketing the home release with ads playing up romantic-comedy overtones.

The trailer for Venom: Let There Be Carnage plays up more of a bromance/odd-couple angle, opening with Brock and Venom preparing breakfast—with mixed results—as Venom raspily sings along to “Let’s Call the Whole Thing Off.” Brock’s friendly neighborhood convenience store owner, Mrs. Chen (Peggy Lu, Always Be My Maybe), is back to provide comic relief, Williams reprises her role as Anne Weying, and Naomie Harris (Skyfall, Moonlight) plays a secondary villain named Shriek—because even serial killers like Kasady need a love interest, and this one can manipulate sound.

Other than Kasady’s escape and emergence as Carnage, the trailer gives little away as to the actual plot, although there do seem to be elements from the Maximum Carnage storyline. Chances are, if you enjoyed the first Venom film, you’ll like the sequel, too.

Venom: Let There Be Carnage opens exclusively in theaters on September 24, 2021.

Listing image by YouTube/Sony

Continue Reading

Gaming

Sony says PS5 could be difficult to find into 2022

Published

on

Enlarge / This Sony engineer can get a PS5, but millions of others can’t, thanks to short supplies that are likely to continue.

Sony thinks demand could continue to outstrip supply of the PlayStation 5 into 2022. That’s according to a Bloomberg report citing a number of unnamed analysts who listened in on an explanatory call following Sony’s recent earnings report.

“I don’t think demand is calming down this year, and even if we secure a lot more devices and produce many more units of the PlayStation 5 next year, our supply wouldn’t be able to catch up with demand,” Sony CFO Hiroki Totoki reportedly said.

Sony has been warning for months that worldwide shortages of semiconductors and other components have made it hard to increase production for the PS5. But this is the most direct sign that those shortages will extend past this year and into the next.

Sony President and CEO Jim Ryan said in February that he expected PS5 supplies would “get better every month throughout 2021,” leading to “really decent numbers indeed” by the second half of this year. But Totoki amended that statement in April to say that it’s “not likely” Sony could “drastically increase the supply” before the company’s fiscal year ends in March 2022.

Supply problems aside, demand for the PS5 seems to be matching that of the early days of the PS4, which has sold over 115 million units to date. The PS5’s 7.8 million sales through March and 14.8 million additional projected sales in the current fiscal year are broadly in line with sales of the PlayStation 4 at the same point in its life cycle.

But while the PS4 was in short supply in the early months of 2014, by August of that year, Wired was citing the lack of retail PS4 shortages as one reason behind the system’s unexpected success at the time. In other words, the difference between shelves full of PS4s and shelves empty of PS5s is due to the supply, not demand, levels between the two systems.

Totoki reportedly told analysts that he “can’t imagine demand dropping easily” for the PS5, and that situation would continue to put pressure on Sony to increase supplies in any way it can. But with the company already taking a loss on every system sold, spending more money to secure scarce chips over competitors could be difficult (if it’s possible at all).

Put it all together, and you have a situation that could mirror that of the Nintendo Wii, which remained hard to find on store shelves for well over a year after its late-2006 release. That situation got so bad that former Nintendo of America President Reggie Fils-Aime had to actively deny that there was a conspiracy to keep Wii supplies artificially low.

Today, of course, Nintendo is facing the same semiconductor shortages as Sony in trying to keep up with demand for the Switch, as are many carmakers. All told, it looks like the “big scramble” for silicon chips is set to continue for a while.

Continue Reading

Gaming

New book Press Reset investigates the high human cost of game development

Published

on

Enlarge / Jason Schreier’s latest deep dive on the game industry is out on May 11 at all major booksellers.

Grand Central Publishing

Games industry journalist Jason Schreier has left his mark over the years by digging up behind-the-scenes dirt at sites like Kotaku and Bloomberg, but he may be best known for Blood, Sweat, and Pixels. This 2017 book broke down like a Schreier’s “greatest hits” collection: Every chapter followed a particular game and its lead studio through a wild “triple-A” period in the late ’00s and early ’10s.

If you’ve read BSP or any of Schreier’s other investigative stories, you’ll likely notice common threads at modern game studios, no matter which genre or specific company is involved. The first brilliant stroke of his newest book, Press Reset: Ruin and Recovery in the Game Industry, is to take that concept a step further. Individual games and studios get an occasional spotlight, but this time, Schreier often follows individual developer résumés to answer a few huge industry questions.

Continue Reading

Trending