Connect with us

Gaming

Apple fails to block porn & gambling ‘Enterprise’ apps – TechCrunch

Published

on

Facebook and Google were far from the only developers openly abusing Apple’s Enterprise Certificate program meant for companies offering employee-only apps. A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple’s oversight. The developers passed Apple’s weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino’s traditional safeguards designed to keep iOS family-friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.

The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program, leading to its exploitation to circumvent App Store rules and forbidden categories. For a company whose CEO Tim Cook frequently criticizes its competitors for data misuse and policy fiascos like Facebook’s Cambridge Analytica, Apple’s failure to catch and block these porn and gambling demonstrates it has work to do itself.

Porn apps PPAV and iPorn (iP) continue to abuse Apple’s Enterprise Certificate program to sidestep the App Store’s ban on pornography. Nudity censored by TechCrunch

 

TechCrunch broke the news last week that Facebook and Google had broken the rules of Apple’s Enterprise Certificate program to distribute apps that installed VPNs or demanded root network access to collect all of a user’s traffic and phone activity for competitive intelligence. That led Apple to briefly revoke Facebook and Google’s Certificates, thereby disabling the companies’ legitimate employee-only apps, which caused office chaos.

Apple issued a fiery statement that “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” Meanwhile, dozens of prohibited apps were available for download from shady developers’ websites.

Apple offers a lookup tool for finding any business’ D-U-N-S number, allowing shady developers to forge their Enterprise Certificate application

The problem starts with Apple’s lax standards for accepting businesses to the enterprise program. The program is for companies to distribute apps only to their employees, and its policy explicitly states “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers.” Yet Apple doesn’t adequately enforce these policies.

Developers simply have to fill out an online form and pay $299 to Apple, as detailed in this guide from Calvium. The form merely asks developers to pledge they’re building an Enterprise Certificate app for internal employee-only use, that they have the legal authority to register the business, provide a D-U-N-S business ID number and have an up to date Mac. You can easily Google a business’ address details and look up their D-U-N-S ID number with a tool Apple provides. After setting up an Apple ID and agreeing to its terms of service, businesses wait one to four weeks for a phone call from Apple asking them to reconfirm they’ll only distribute apps internally and are authorized to represent their business.

With just a few lies on the phone and web plus some Googleable public information, sketchy developers can get approved for an Apple Enterprise Certificate.

Real-money gambling apps openly advertise that they have iOS versions available that abuse the Enterprise Certificate program

Given the number of policy-violating apps that are being distributed to non-employees using registrations for businesses unrelated to their apps, it’s clear that Apple needs to tighten the oversight on the Enterprise Certificate program. TechCrunch found thousands of sites offering downloads of “sideloaded” Enterprise apps, and investigating just a sample uncovered numerous abuses. Using a standard un-jailbroken iPhone. TechCrunch was able to download and verify 12 pornography and 12 real-money gambling apps over the past week that were abusing Apple’s Enterprise Certificate system to offer apps prohibited from the App Store. These apps either offered streaming or pay-per-view hardcore pornography, or allowed users to deposit, win and withdraw real money — all of which would be prohibited if the apps were distributed through the App Store.

A whole screen of prohibited sideloaded porn and gambling apps TechCrunch was able to download through the Enterprise Certificate system

In an apparent effort to step up policy enforcement in the wake of TechCrunch’s investigation into Facebook and Google’s Enterprise Certificate violations, Apple appears to have disabled some of these apps in the past few days, but many remain operational. The porn apps that we discovered which are currently functional include Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow and AVBobo, while the currently functional gambling apps include RD Poker and RiverPoker.

The Enterprise Certificates for these apps were rarely registered to company names related to their true purpose. The only example was Lucky8 for gambling. Many of the apps used innocuous names like Interprener, Mohajer International Communications, Sungate and AsianLiveTech. Yet others seemed to have forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses. Dragon Gaming was registered to U.S. gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet & Furniture Co.

You can see a full list of the policy-violating apps we found:

Apple refused to explain how these apps slipped into the Enterprise Certificate app program. It declined to say if it does any follow-up compliance audits on developers in the program or if it plans to change admission process. An Apple spokesperson did provide this statement, though, indicating it will work to shut down these apps and potentially ban the developers from building iOS products entirely:

“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

TechCrunch asked Guardian Mobile Firewall’s security expert Will Strafach to look at the apps we found and their Certificates. Strafach’s initial analysis of the apps didn’t find any glaring evidence that the apps misappropriate data, but they all do violate Apple’s Certificate policies and provide content banned from the App Store. “At the moment, I have noticed that action is slower regarding apps available from an independent website and not these easy-to-scrape app directories” that occasionally crop up offering centralized access to a plethora of sideloaded apps.

Porn app AVBobo uses an Enterprise Certificate registered to Fresno’s Chaney Cabinet & Furniture Co

Strafach explained how “A significant number of the Enterprise Certificates used to sign publicly available apps are referred to informally as ‘rogue certificates’ as they are often not associated with the named company. There are no hard facts to confirm the manner in which these certificates originate, but the result of the initial step is that individuals will gain control of an Enterprise Certificate attributable to a corporation, usually China/HK-based. Code services are then sold quietly on Chinese language marketplaces, resulting in sometimes 5 to 10 (or more) distinct apps being signed with the same Enterprise Certificate.” We found Sungate and Mohajer Certificates were farmed out for use by multiple apps in this way.

“In my experience, Enterprise Certificate signed apps available on independent websites have not been harmful to users in a malicious sense, only in the sense that they have broken the rules,” Strafach notes. “Enterprise Certificate signed apps from these Chinese ‘helper’ tools, however, have been a mixed bag. Zoe example, in multiple cases, we have noticed such apps with additional tracking and adware code injected into the original now-repackaged app being offered.”

Porn apps like Swag openly advertise their availability on iOS

Interestingly, none of the off-limits apps we discovered asked users to install a VPN like Google Screenwise, let alone root network access like Facebook Research. TechCrunch reported this month that both apps had been paying users to snoop on their private data. But the iOS versions were banned by Apple after we exposed their policy violations, and Apple also caused chaos at Facebook and Google’s offices by temporarily shutting down their employee-only iOS apps too. The fact that these two U.S. tech giants were more aggressive about collecting user data than shady Chinese porn and gambling apps is telling. “This is a cat-and-mouse game,” Strafach concluded regarding Apple’s struggle to keep out these apps. But given the rampant abuse, it seems Apple could easily add stronger verification processes and more check-ups to the Enterprise Certificate program. Developers should have to do more to prove their apps’ connection with the Certificate holder, and Apple should regularly audit certificates to see what kind of apps they’re powering.

Back when Facebook missed Cambridge Analytica’s abuse of its app platform, Cook was asked what he’d do in Mark Zuckerberg’s shoes. “I wouldn’t be in this situation” Cook frankly replied. But if Apple can’t keep porn and casinos off iOS, perhaps Cook shouldn’t be lecturing anyone else.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Gaming

This 3D-printed soft robotic hand beat the first level of Super Mario Bros.

Published

on

A team led by University of Maryland mechanical engineering Professor Ryan Sochol has created a soft robotic hand agile enough to manipulate a game controller.

A team of engineers at the University of Maryland has built a three-fingered soft robotic hand that is sufficiently agile to be able to manipulate the buttons and directional pad on a Nintendo controller—even managing to beat the first level of Super Mario Bros. as proof of concept, according to a recent paper published in the journal Science Advances. The same team also built two soft robotic turtles (the terrapin turtle is UMD’s official mascot) using the same multimaterial 3D-printing process that produced the robotic hand.

We traditionally think of robots as being manufactured out of hard, rigid materials, but the subfield of soft robotics takes a different approach. It seeks to build robotic devices out of more flexible materials that mimic the properties of those found in living animals. There are huge advantages to be gained by making the entire body of a robot out of soft materials, such as being flexible enough to squeeze through tight spaces to hunt for survivors after a disaster. Soft robots also hold strong potential as prosthetics or biomedical devices. Even rigid robots rely on some soft components, such as foot pads that serve as shock absorbers or flexible springs to store and release energy.

Harvard researchers built an octopus-inspired soft robot in 2016 that was constructed entirely out of flexible materials. But soft robots are more difficult to control precisely because they are so flexible. In the case of the “octobot,” the researchers replaced the rigid electronic circuits with microfluidic circuits. Such circuits involve regulating the flow of water (hydraulics) or air (pneumatics), rather than electricity, through the circuit’s microchannels, enabling the robot to bend and move.

Although this solution is ingenious, it brings its own set of challenges. These include the high cost (clean room facilities are required) and time necessary to fabricate those microfluidic systems and then integrate them with the system as a whole. “Recently, several groups have tried to harness fluidic circuits to enhance the autonomy of soft robots,” said co-author Ruben Acevedo. “But the methods for building and integrating those fluidic circuits with the robots can take days to weeks, with a high degree of manual labor and technical skill.”

As an undergraduate, Acevedo worked in the lab of University of Maryland mechanical engineer Ryan D. Sochol, who was interested in moving beyond having to manually connect fluidic circuitry components to soft robots in favor of embedding these functions directly in the soft robotic systems. His team found the answer in PolyJet 3D printing, in which several different layers of materials are stacked on top of each other. The printer sets down one liquid layer, lets it solidify, then sets down the next layer, and so on.

Enlarge / University of Maryland mechanical engineer Ryan D. Sochol shows off his team’s soft robotic hand.

YouTube/UMD A. James Clark School of Engineering

“The incorporation of materials that differ in rigidity serves to enhance performance by allowing the material properties of specific features to be tailored to complement desired functionalities,” Sochol et al. wrote in their paper. Components like diaphragms and O-rings must be able to deform during operation, so a soft rubber-like material was used to make them, while a more rigid, plastic-like material was chosen to make components that need to be stable (fluidic channels, access ports, and structural casings, for instance). Finally, the team used a water-soluble material to serve as scaffolding during the printing process, which was then removed from both the exterior and internal voids and channels—first by dissolving the stuff with water, then manually removing whatever scaffolding material remained.

Microfluidically controlled soft robots typically require distinct control inputs for every independently operated soft actuator. By integrating the fluidic circuit, the UMD team could operate the hand by varying the pressure strength between low, medium, and high. In other words, a single source of fluid could send different signals just by changing the pressure, so that each finger could move independently. Even better, the one-step 3D-printing process for the hand and the two turtle-bots—encompassing soft actuators (moving parts), the fluidic circuits, and robot body—took a matter of hours, not days or weeks.

The team tested the performance of the robotic hand by having it play Super Mario Bros. To make Mario walk, the team used a low pressure, so only the first finger pressed the controller. The researchers used a medium pressure to make Mario run and a high pressure to make the hand press the correct button on the controller to get Mario to jump.

The soft robotic hand plays a round of <em>Super Mario Bros.</em>
Enlarge / The soft robotic hand plays a round of Super Mario Bros.

YouTube/UMD A. James Clark School of Engineering

As for why they chose Super Mario Bros., Sochol told Scientific American that it was the very first Nintendo game he had played as a child. But the choice wasn’t just a matter of nostalgia. The timing and specifics of the game are well-established; the robot hand simply needed to time its responses in accordance with the preprogrammed moves. And there are actual consequences for failure: a single mistake will cost Mario a life. The hand performed so well, it was able to successfully beat the first level of the game in less than 90 seconds.

“We are freely sharing all of our design files so that anyone can readily download, modify on demand, and 3D print—whether with their own printer or through a printing service like us— all of the soft robots and fluidic circuit elements from our work,” said Sochol, who estimates that printing one’s own soft robots would cost about $100 using the team’s software on GitHub. “It is our hope that this open-source 3D printing strategy will broaden accessibility, dissemination, reproducibility, and adoption of soft robots with integrated fluidic circuits and, in turn, accelerate advancement in the field.”

DOI: Science Advances, 2021. 10.1126/sciadv.abe5257  (About DOIs).

Listing image by University of Maryland

Continue Reading

Gaming

How one game’s delisting pokes a hole in the Xbox Game Pass promise

Published

on

Enlarge / Another sim racer bites the dust—and this time without a new one in its place.

Microsoft has long boasted about the backward compatibility of its Xbox consoles, letting you play hundreds of past-gen games on newer systems like the Series X/S. But the game publisher and console maker is quieter about taking older games down from its digital storefronts—and this week’s latest casualty, in the form of a popular first-party game, presents problems for Xbox’s recent sales pitches.

On paper, the basic announcement may look humdrum to savvy modern-gaming fans. Starting September 15, 2021, the sim racing game Forza Motorsport 7 will no longer be available on Xbox’s digital download shops. That date marks roughly four years past the game’s 2017 launch on Xbox One consoles, and “four years” is key. Since the Xbox Live download store has been in operation, other Forza games, both in the Motorsport and Horizon camps, have been delisted at a nearly identical cadence. This suggests that the game’s car licenses factor into the cutoff dates.

Knocked out of the usual lineup

Look closely enough at major licenses in classic video games and you’ll see a similar trend. Arguably the most prominent early example came when Nintendo began reprinting copies of its 1987 sports-action classic Punch-Out!! in 1990 without re-upping its original license deal with Mike Tyson, and it’s not uncommon to see publishers either strip licenses from older games or give up on them altogether. For most of the modern gaming industry’s history, four-year-old games have usually been relegated to bargain bins—especially if they receive regular sequels—so such a licensing term doesn’t seem egregious.

FM7 is a different story, however, for a few reasons.

One is that the series’ regular sequel cadence has come to a grinding halt. Series creator Turn 10 Studios usually spends a few years between entries, a fact masked somewhat by the introduction of Forza Horizon, the series’ arcade-minded, open-world jelly to Motorsport‘s sim-focused peanut butter. Microsoft would publish a new Motorsport game, then a new Horizon, and repeat. That schedule also guaranteed that, when an older game was delisted, a newer version was usually there to take its place.

Thanks to that historic release tempo, a new Motorsport seemed right around the corner. Horizon 4 arrived in 2019, and one year later, the Xbox Series X/S debut included “real gameplay” teases of an upcoming Motorsport sequel.

But this year, during the usual June hype cycle, Forza Motorsport didn’t pull up to the starting line. Instead, an ahead-of-schedule Horizon 5 appeared with a November 2021 release date. As a result, when FM7 is delisted on September 15, there won’t be a newer Motorsport game available to purchase via Xbox Live for the first time in that storefront’s existence.

A rare content lapse in a Game Pass era

Arguably the bigger differentiator this time is an entirely new sales proposition for all things Xbox: the Game Pass subscription service. FM7‘s delisting means it will vanish from Game Pass and leave a car-sim-sized hole, proving that Microsoft won’t always have “at least one” sim racer available for people who subscribe to Game Pass for the promise of premier, first-party game access. (To be clear, that very differentiation is one reason Game Pass’s reputation has taken off compared to Sony’s similar PlayStation Now service.) No other first-party Xbox series is similarly subject to license expirations and delistings, which is why the service still offers every title from Microsoft-published series like Gears of War, Halo, and Fable.

If you’re paying attention and want to lock down future FM7 access right now, you can buy the “standard” edition for $10 (which includes every racetrack) or the “ultimate” edition for $20 (which includes most of the game’s add-on cars). Buying either now means you’ll still be able to access the game’s online and offline modes after September 15, and the same goes for existing owners of the FM7‘s disc and digital versions.

FM7‘s Game Pass version is the “standard” one, and if you had previously bought any DLC for the game as a Game Pass user, you’ll soon get a notification within Xbox’s interface of a “token” that lets you own FM7 outright once it’s delisted. That token concept suggests that perhaps Microsoft could have given away tokens to anyone who has recently played FM7 via Game Pass. Speaking of retail specifics: FM7 will go down in history as the most microtransaction-laden Motorsport entry to date. The developers rectified those issues after launch, at least, but it’s still a reminder to future Forza buyers that any games-as-a-service approach comes with potential support shutdowns (though, again, FM7 will still continue working in both offline and online modes until further notice).

What’s arguably annoying for existing, savvy Xbox users may prove all the more confusing and unclear for future, brand-new console buyers—not to mention anyone who dips their toes into Xbox Game Streaming and notices that its selection of cloud-streamed games is limited to “active” Game Pass Ultimate games. As game-purchase expectations transition from “buy the disc and own it forever” to “convenient subscriptions,” FM7-sized potholes are likely to become more common and more frustrating.

Continue Reading

Gaming

Putting the PS5’s 10 million sales in context

Published

on

When Sony announced Monday that it had sold 10 million PS5 consoles to consumers, it trumpeted the system as “the fastest-selling console in Sony Interactive Entertainment history.” That statement certainly sounds impressive, but it lacks the specificity we need to judge just how impressive the PS5’s sales have been so far (despite component shortages that could make the system hard to find into next year).

To add more context to Sony’s announcement, we looked at how quickly some other recent consoles took to sell their first 10 million systems worldwide. While different launch dates and staggered international launches skew some of these comparisons, the data overall shows how the PS5 is selling as fast or faster than some of the most popular consoles of the recent past.

We also looked at newly revealed sales data for PS5 exclusives Returnal and Ratchet & Clank: Rift Apart and compared their sales rates to similar early system-sellers on the Switch.

Sales rates for first ~10M sales

Sony

  • PS1 – 7,723 / day (11.5M in 1,489 days – Source)
  • PS2 – 27,066 / day (10.61M in 392 days – Source)
  • PS3 – 25,373 / day (10.53M in 415 days – Source)
  • PS4 – 37,313 / day (10M in 268 days – Source)
  • PS5 – 40,322 / day (10M in 248 days – Source)

Nintendo

  • GameCube – 15,345 / day (10.45M in 681 days – Source)
  • Wii – 41,569 / day (9.27M in 233 days – Source)
  • Wii U – 10,492 / day (10.01M in 954 days – Source)
  • Switch – 35,211 / day (10M in 284 days – Source)

Microsoft

  • Xbox – 15,878 / day (9.4M in 592 days – Source)
  • Xbox 360 – 24,752 / day (10M shipped in 404 days – Source)
  • Xbox One – 28,169 / day (~10M shipped in 355 days – Source)

PlayStation sales milestones

PS5

  • 4.5M – 49 days
  • 7.8M – 139 days
  • 10M – 248 days

PS4

  • 2.1M – 18 days
  • 4.2M – 46 days
  • 5.3M – 85 days
  • 7M – 142 days
  • 10M – 268 days

PS3

  • 1.68M – 50 days
  • 3.61M – 140 days
  • 4.32M – 231 days
  • 5.63M – 323 days
  • 10.53M – 415 days

Software sales rates

Software sales as a percent of total hardware sales, measured nine to 10 months after launch:

PS5

  • 5.6% – Returnal
  • 11% – Ratchet and Clank: Rift Apart

Switch

Continue Reading

Trending