Connect with us

Gaming

Apple fails to block porn & gambling ‘Enterprise’ apps – TechCrunch

Published

on

Facebook and Google were far from the only developers openly abusing Apple’s Enterprise Certificate program meant for companies offering employee-only apps. A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple’s oversight. The developers passed Apple’s weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino’s traditional safeguards designed to keep iOS family-friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.

The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program, leading to its exploitation to circumvent App Store rules and forbidden categories. For a company whose CEO Tim Cook frequently criticizes its competitors for data misuse and policy fiascos like Facebook’s Cambridge Analytica, Apple’s failure to catch and block these porn and gambling demonstrates it has work to do itself.

Porn apps PPAV and iPorn (iP) continue to abuse Apple’s Enterprise Certificate program to sidestep the App Store’s ban on pornography. Nudity censored by TechCrunch

 

TechCrunch broke the news last week that Facebook and Google had broken the rules of Apple’s Enterprise Certificate program to distribute apps that installed VPNs or demanded root network access to collect all of a user’s traffic and phone activity for competitive intelligence. That led Apple to briefly revoke Facebook and Google’s Certificates, thereby disabling the companies’ legitimate employee-only apps, which caused office chaos.

Apple issued a fiery statement that “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” Meanwhile, dozens of prohibited apps were available for download from shady developers’ websites.

Apple offers a lookup tool for finding any business’ D-U-N-S number, allowing shady developers to forge their Enterprise Certificate application

The problem starts with Apple’s lax standards for accepting businesses to the enterprise program. The program is for companies to distribute apps only to their employees, and its policy explicitly states “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers.” Yet Apple doesn’t adequately enforce these policies.

Developers simply have to fill out an online form and pay $299 to Apple, as detailed in this guide from Calvium. The form merely asks developers to pledge they’re building an Enterprise Certificate app for internal employee-only use, that they have the legal authority to register the business, provide a D-U-N-S business ID number and have an up to date Mac. You can easily Google a business’ address details and look up their D-U-N-S ID number with a tool Apple provides. After setting up an Apple ID and agreeing to its terms of service, businesses wait one to four weeks for a phone call from Apple asking them to reconfirm they’ll only distribute apps internally and are authorized to represent their business.

With just a few lies on the phone and web plus some Googleable public information, sketchy developers can get approved for an Apple Enterprise Certificate.

Real-money gambling apps openly advertise that they have iOS versions available that abuse the Enterprise Certificate program

Given the number of policy-violating apps that are being distributed to non-employees using registrations for businesses unrelated to their apps, it’s clear that Apple needs to tighten the oversight on the Enterprise Certificate program. TechCrunch found thousands of sites offering downloads of “sideloaded” Enterprise apps, and investigating just a sample uncovered numerous abuses. Using a standard un-jailbroken iPhone. TechCrunch was able to download and verify 12 pornography and 12 real-money gambling apps over the past week that were abusing Apple’s Enterprise Certificate system to offer apps prohibited from the App Store. These apps either offered streaming or pay-per-view hardcore pornography, or allowed users to deposit, win and withdraw real money — all of which would be prohibited if the apps were distributed through the App Store.

A whole screen of prohibited sideloaded porn and gambling apps TechCrunch was able to download through the Enterprise Certificate system

In an apparent effort to step up policy enforcement in the wake of TechCrunch’s investigation into Facebook and Google’s Enterprise Certificate violations, Apple appears to have disabled some of these apps in the past few days, but many remain operational. The porn apps that we discovered which are currently functional include Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow and AVBobo, while the currently functional gambling apps include RD Poker and RiverPoker.

The Enterprise Certificates for these apps were rarely registered to company names related to their true purpose. The only example was Lucky8 for gambling. Many of the apps used innocuous names like Interprener, Mohajer International Communications, Sungate and AsianLiveTech. Yet others seemed to have forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses. Dragon Gaming was registered to U.S. gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet & Furniture Co.

You can see a full list of the policy-violating apps we found:

Apple refused to explain how these apps slipped into the Enterprise Certificate app program. It declined to say if it does any follow-up compliance audits on developers in the program or if it plans to change admission process. An Apple spokesperson did provide this statement, though, indicating it will work to shut down these apps and potentially ban the developers from building iOS products entirely:

“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

TechCrunch asked Guardian Mobile Firewall’s security expert Will Strafach to look at the apps we found and their Certificates. Strafach’s initial analysis of the apps didn’t find any glaring evidence that the apps misappropriate data, but they all do violate Apple’s Certificate policies and provide content banned from the App Store. “At the moment, I have noticed that action is slower regarding apps available from an independent website and not these easy-to-scrape app directories” that occasionally crop up offering centralized access to a plethora of sideloaded apps.

Porn app AVBobo uses an Enterprise Certificate registered to Fresno’s Chaney Cabinet & Furniture Co

Strafach explained how “A significant number of the Enterprise Certificates used to sign publicly available apps are referred to informally as ‘rogue certificates’ as they are often not associated with the named company. There are no hard facts to confirm the manner in which these certificates originate, but the result of the initial step is that individuals will gain control of an Enterprise Certificate attributable to a corporation, usually China/HK-based. Code services are then sold quietly on Chinese language marketplaces, resulting in sometimes 5 to 10 (or more) distinct apps being signed with the same Enterprise Certificate.” We found Sungate and Mohajer Certificates were farmed out for use by multiple apps in this way.

“In my experience, Enterprise Certificate signed apps available on independent websites have not been harmful to users in a malicious sense, only in the sense that they have broken the rules,” Strafach notes. “Enterprise Certificate signed apps from these Chinese ‘helper’ tools, however, have been a mixed bag. Zoe example, in multiple cases, we have noticed such apps with additional tracking and adware code injected into the original now-repackaged app being offered.”

Porn apps like Swag openly advertise their availability on iOS

Interestingly, none of the off-limits apps we discovered asked users to install a VPN like Google Screenwise, let alone root network access like Facebook Research. TechCrunch reported this month that both apps had been paying users to snoop on their private data. But the iOS versions were banned by Apple after we exposed their policy violations, and Apple also caused chaos at Facebook and Google’s offices by temporarily shutting down their employee-only iOS apps too. The fact that these two U.S. tech giants were more aggressive about collecting user data than shady Chinese porn and gambling apps is telling. “This is a cat-and-mouse game,” Strafach concluded regarding Apple’s struggle to keep out these apps. But given the rampant abuse, it seems Apple could easily add stronger verification processes and more check-ups to the Enterprise Certificate program. Developers should have to do more to prove their apps’ connection with the Certificate holder, and Apple should regularly audit certificates to see what kind of apps they’re powering.

Back when Facebook missed Cambridge Analytica’s abuse of its app platform, Cook was asked what he’d do in Mark Zuckerberg’s shoes. “I wouldn’t be in this situation” Cook frankly replied. But if Apple can’t keep porn and casinos off iOS, perhaps Cook shouldn’t be lecturing anyone else.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Gaming

This site posted every face from Parler’s Capitol Hill insurrection videos

Published

on

Getty Images | Wired

When hackers exploited a bug in Parler to download all of the right-wing social media platform’s contents last week, they were surprised to find that many of the pictures and videos contained geolocation metadata revealing exactly how many of the site’s users had taken part in the invasion of the US Capitol building just days before. But the videos uploaded to Parler also contain an equally sensitive bounty of data sitting in plain sight: thousands of images of unmasked faces, many of whom participated in the Capitol riot. Now one website has done the work of cataloging and publishing every one of those faces in a single, easy-to-browse lineup.

Late last week, a website called Faces of the Riot appeared online, showing nothing but a vast grid of more than 6,000 images of faces, each one tagged only with a string of characters associated with the Parler video in which it appeared. The site’s creator tells WIRED that he used simple open source machine learning and facial recognition software to detect, extract, and deduplicate every face from the 827 videos that were posted to Parler from inside and outside the Capitol building on January 6, the day when radicalized Trump supporters stormed the building in a riot that resulted in five people’s deaths. The creator of Faces of the Riot says his goal is to allow anyone to easily sort through the faces pulled from those videos to identify someone they may know or recognize who took part in the mob, or even to reference the collected faces against FBI wanted posters and send a tip to law enforcement if they spot someone.

“Everybody who is participating in this violence, what really amounts to an insurrection, should be held accountable,” says the site’s creator, who asked for anonymity to avoid retaliation. “It’s entirely possible that a lot of people who were on this website now will face real-life consequences for their actions.”

Aside from the clear privacy concerns it raises, Faces of the Riot’s indiscriminate posting of faces doesn’t distinguish between lawbreakers—who trampled barriers, broke into the Capitol building, and trespassed in legislative chambers—and people who merely attended the protests outside. An upgrade to the site today adds hyperlinks from faces to the video source, so that visitors can click on any face and see what the person was filmed doing on Parler. The Faces of the Riot creator, who says he’s a college student in the “greater DC area,” intends that added feature to help contextualize every face’s inclusion on the site and differentiate between bystanders, peaceful protesters, and violent insurrectionists.

He concedes that he and a cocreator are still working to scrub “non-rioter” faces, including those of police and press who were present. A message at the top of the site also warns against vigilante investigations, instead suggesting users report those they recognize to the FBI, with a link to an FBI tip page. “If you go on the website and you see someone you know, you might learn something about a relative,” he says. “Or you might be like, oh, I know this person, and then further that information to the authorities.”

Looking for faces

Despite its disclaimers and limitations, Faces of the Riot represents the serious privacy dangers of pervasive facial recognition technology, says Evan Greer, the campaign director for digital civil liberties nonprofit Fight for the Future. “Whether it’s used by an individual or by the government, this technology has profound implications for human rights and freedom of expression,” says Greer, whose organization has fought for a legislative ban on facial recognition technologies. “I think it would be an enormous mistake if we come out of this moment by glorifying or lionizing a technology that, broadly speaking, disproportionately harms communities of color, low-income communities, immigrant communities, Muslim communities, activists… the very same people that the faces on this website stormed the Capitol for the purpose of silencing and disenfranchising.”

The site’s developer counters that Faces of the Riot leans not on facial recognition but facial detection. While he did use the open source machine learning tool TensorFlow and the facial recognition software Dlib to analyze the Parler videos, he says he used that software only to detect and “cluster” faces from the 11 hours of video of the Capitol riot; Dlib allowed him to deduplicate the 200,000 images of faces extracted from video frames to around 6,000 unique faces. (He concedes that there are nonetheless some duplicates and images of faces on protest signs included too. Even the number “45” on some signs was in some cases identified as a human face.)
He emphasizes also that there’s no search tool on the site, and it doesn’t attempt to link faces with names or other identifying details. Nor is there any feature for uploading an image and matching it with images in the site’s collection, which he says could lead to dangerous misidentifications. “There’s a very hard no on allowing a user to take a photo from a wanted poster and search for it,” the site’s creator says. “That’s never going to happen.”

The roughly 42 gigabytes of Parler videos that Faces of the Riot analyzed were downloaded prior to Amazon’s decision early last week to cut off Parler’s web hosting, leaving the site largely offline since. Racing against that takedown, hacktivists took advantage of a security flaw in Parler that allowed them to download and archive every post from the service, which bills itself as an uncensored “free speech” alternative to Twitter or Facebook. Faces of the Riot obtained Parler’s salvaged videos after they were made available online by Kyle McDonald, a media artist who obtained them from a third party he declined to identify.

The Faces of the Riot site’s creator initially saw the data as a chance to experiment with machine learning tools, but quickly saw the potential for a more public project. “After about 10 minutes I thought, this is actually a workable idea and I can do something that will help people,” he says. Faces of the Riot is the first website he’s ever created.

McDonald has previously both criticized the power of facial recognition technology and himself implemented facial recognition projects like ICEspy, a tool he launched in 2018 for identifying agents of the Immigration and Customs Enforcement agency. He tells WIRED he also analyzed the leaked Parler videos with facial recognition tools to see if he could identify individuals, but could only ID two, both of whom had already been named by media. He sees Faces of the Riot as “playing it really safe” compared even to his own facial recognition experiments, given that it doesn’t seek to link faces with named identities. “And I think it’s a good call because I don’t think that we need to legitimize this technology any more than it already is and has been falsely legitimized,” McDonald says.

But McDonald also points out that Faces of the Riot demonstrates just how accessible facial recognition technologies have become. “It shows how this tool that has been restricted only to people who have the most education, the most power, the most privilege is now in this more democratized state,” McDonald says.

The Faces of the Riot site’s creator sees it as more than an art project or demonstration. Despite the safeguards he put in place to limit its ability to automatically identify people, he still hopes that the effort will have real, tangible results—if only indirectly through reports to law enforcement. “It’s just felt like people got away with a lot of bad stuff for the last four years,” he says. “This is an opportunity to start trying to put that to an end.”

This story originally appeared on wired.com.

Continue Reading

Gaming

Blizzard absorbs acclaimed Activision studio as a dedicated “support” team

Published

on

Blizzard Entertainment

The corporate-behemoth organism that is Blizzard Entertainment, which exists in a symbiotic state next to megaton game publisher Activision, became blurrier on Friday with a surprise announcement: It has absorbed a game studio within the Activision family, effective immediately.

Vicarious Visions, a longtime game studio that was acquired by Activision in 2005, has been shuffled out of the Activision ecosystem and pumped directly into Blizzard’s veins. In a statement offered to GamesIndustry.biz, Blizzard confirmed that the 200+ staff at Vicarious Vision has been shifted to a “long-term support” team focused entirely on “existing Blizzard games and initiatives.” The news also includes a mild shuffle of leadership, sending current Vicarious studio head Jen Oneal to the Blizzard leadership board as executive vice president of development.

The statement did not clarify exactly when this arrangement began, nor which of Blizzard’s “existing” projects would receive Vicarious staff support in particular. (Blizzard representatives did not immediately respond to Ars Technica’s questions about the deal.) As of press time, neither Blizzard nor Vicarious have published details or terms about the deal on their respective blogs or social media channels. In fact, Vicarious Visions’ website is currently offline altogether.

Where will they land in the credits scroll?

Vicarious certainly has its share of publicly announced Blizzard projects to pick from, between Overwatch 2, Diablo IV, and whatever World of WarCraft expansion eventually emerges like clockwork. Or, heck, maybe Vicarious has been brought on board to finally wrest WarCraft III: Reforged from its shameful spiral as 2020’s most disappointing video game.

Whatever the project(s) may be, the staff certainly won’t continue the studio’s stellar track record as one of Activision’s brighter spots. Whether it was the studio’s stellar work getting 2020’s Tony Hawk’s Pro Skater 1+2 into twitch-perfect shape, massaging the original Crash Bandicoot trilogy into a solid remaster, or even delivering one of the Marvel universe’s best co-op brawlers in an era well before Iron Man redeemed the comic empire’s public reputation, Vicarious will forever be remembered as an Activision bright spot. We hope the same can be said for the team’s future work, as it’s shuffled into the bottom of a credits scroll for existing Blizzard properties.

Blizzard has rarely gone to the trouble of absorbing an outside studio—with “Blizzard North” being the largest exception, when the company took on David Brevik’s existing team (then dubbed Condor) to formally join the Blizzard family in 1995. This concluded a bidding war: “3DO offered us twice as much money,” Brevik said in a 2016 GDC presentation. “We turned them down. Really, because we felt that Blizzard really got us and got [Diablo 1]. We were so close in company culture and beliefs.”

Continue Reading

Gaming

Xbox Live price increase sets a new $10/month floor for online access

Published

on

Xbox users will soon have to pay at least $10/month for the baseline Xbox Live Gold subscription needed for online play on Xbox consoles. That’s a significant increase from the recent floor of $5/month for an annual subscription.

The new pricing, as Microsoft unveiled this morning is as follows (or a “local market equivalent” outside the US):

  • One month: $11/month (previously $10/month)
  • Three months: $30, $10/month (Previously $25, $8.33/month)
  • Six months: $60, $10/month (Previously $40, $6.67/month)

A 12-month, $60 subscription plan was officially removed from Microsoft’s online store last July, but annual digital subscriptions at that $5/month rate are still currently available from a variety of retail partners. It’s unclear if those offerings will continue, but a new annual subscription option was not mentioned in Microsoft’s announcement this morning. Microsoft does note that current 6-month and 12-month subscribers will be able to “renew at the current price” for the time being, though (current members will receive email notices about the new prices, and the new rates won’t apply to them for at least 45 days).

For those who can’t renew at the old rates, the new minimum of $120/year might seem rather steep in exchange for access to online play and a handful of selected monthly “Games With Gold” freebies. A comparable 12-month PlayStation Plus subscription still costs $60, while an annual Nintendo Switch Online subscription runs just $20 (with a bevy of classic emulated NES and SNES games included).

Xbox Live Gold’s new minimum price is also just $5/month less than the $15/month base price for Xbox Game Pass Ultimate. That subscription includes all the benefits of Xbox Live Gold and access to hundreds of downloadable PC and Xbox ecosystem games, as well as streaming mobile access through xCloud (regular “Game Pass for console” or “Game Pass for PC” without the Xbox Live benefits currently runs $10/month).

The Xbox Live price increase seems designed to drive more users to that expanded Game Pass Ultimate offering, which passed 15 million subscribers last September. In fact, users who upgrade a current Xbox Live Gold subscription to Game Pass Ultimate will automatically have up to 36 months of pre-paid Xbox Live subscription time converted to Game Pass Ultimate for free (echoing similar conversion deals offered in the past).

Microsoft last raised the price of Xbox Live back in 2010, when a one-month subscription increased from $8 to $10 and an annual subscription went from $50 to $60.

Listing image by Getty Images / Aurich Lawson

Continue Reading

Trending