Connect with us

Gaming

Apple fails to block porn & gambling ‘Enterprise’ apps – TechCrunch

Published

on

Facebook and Google were far from the only developers openly abusing Apple’s Enterprise Certificate program meant for companies offering employee-only apps. A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple’s oversight. The developers passed Apple’s weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino’s traditional safeguards designed to keep iOS family-friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.

The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program, leading to its exploitation to circumvent App Store rules and forbidden categories. For a company whose CEO Tim Cook frequently criticizes its competitors for data misuse and policy fiascos like Facebook’s Cambridge Analytica, Apple’s failure to catch and block these porn and gambling demonstrates it has work to do itself.

Porn apps PPAV and iPorn (iP) continue to abuse Apple’s Enterprise Certificate program to sidestep the App Store’s ban on pornography. Nudity censored by TechCrunch

 

TechCrunch broke the news last week that Facebook and Google had broken the rules of Apple’s Enterprise Certificate program to distribute apps that installed VPNs or demanded root network access to collect all of a user’s traffic and phone activity for competitive intelligence. That led Apple to briefly revoke Facebook and Google’s Certificates, thereby disabling the companies’ legitimate employee-only apps, which caused office chaos.

Apple issued a fiery statement that “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” Meanwhile, dozens of prohibited apps were available for download from shady developers’ websites.

Apple offers a lookup tool for finding any business’ D-U-N-S number, allowing shady developers to forge their Enterprise Certificate application

The problem starts with Apple’s lax standards for accepting businesses to the enterprise program. The program is for companies to distribute apps only to their employees, and its policy explicitly states “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers.” Yet Apple doesn’t adequately enforce these policies.

Developers simply have to fill out an online form and pay $299 to Apple, as detailed in this guide from Calvium. The form merely asks developers to pledge they’re building an Enterprise Certificate app for internal employee-only use, that they have the legal authority to register the business, provide a D-U-N-S business ID number and have an up to date Mac. You can easily Google a business’ address details and look up their D-U-N-S ID number with a tool Apple provides. After setting up an Apple ID and agreeing to its terms of service, businesses wait one to four weeks for a phone call from Apple asking them to reconfirm they’ll only distribute apps internally and are authorized to represent their business.

With just a few lies on the phone and web plus some Googleable public information, sketchy developers can get approved for an Apple Enterprise Certificate.

Real-money gambling apps openly advertise that they have iOS versions available that abuse the Enterprise Certificate program

Given the number of policy-violating apps that are being distributed to non-employees using registrations for businesses unrelated to their apps, it’s clear that Apple needs to tighten the oversight on the Enterprise Certificate program. TechCrunch found thousands of sites offering downloads of “sideloaded” Enterprise apps, and investigating just a sample uncovered numerous abuses. Using a standard un-jailbroken iPhone. TechCrunch was able to download and verify 12 pornography and 12 real-money gambling apps over the past week that were abusing Apple’s Enterprise Certificate system to offer apps prohibited from the App Store. These apps either offered streaming or pay-per-view hardcore pornography, or allowed users to deposit, win and withdraw real money — all of which would be prohibited if the apps were distributed through the App Store.

A whole screen of prohibited sideloaded porn and gambling apps TechCrunch was able to download through the Enterprise Certificate system

In an apparent effort to step up policy enforcement in the wake of TechCrunch’s investigation into Facebook and Google’s Enterprise Certificate violations, Apple appears to have disabled some of these apps in the past few days, but many remain operational. The porn apps that we discovered which are currently functional include Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow and AVBobo, while the currently functional gambling apps include RD Poker and RiverPoker.

The Enterprise Certificates for these apps were rarely registered to company names related to their true purpose. The only example was Lucky8 for gambling. Many of the apps used innocuous names like Interprener, Mohajer International Communications, Sungate and AsianLiveTech. Yet others seemed to have forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses. Dragon Gaming was registered to U.S. gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet & Furniture Co.

You can see a full list of the policy-violating apps we found:

Apple refused to explain how these apps slipped into the Enterprise Certificate app program. It declined to say if it does any follow-up compliance audits on developers in the program or if it plans to change admission process. An Apple spokesperson did provide this statement, though, indicating it will work to shut down these apps and potentially ban the developers from building iOS products entirely:

“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

TechCrunch asked Guardian Mobile Firewall’s security expert Will Strafach to look at the apps we found and their Certificates. Strafach’s initial analysis of the apps didn’t find any glaring evidence that the apps misappropriate data, but they all do violate Apple’s Certificate policies and provide content banned from the App Store. “At the moment, I have noticed that action is slower regarding apps available from an independent website and not these easy-to-scrape app directories” that occasionally crop up offering centralized access to a plethora of sideloaded apps.

Porn app AVBobo uses an Enterprise Certificate registered to Fresno’s Chaney Cabinet & Furniture Co

Strafach explained how “A significant number of the Enterprise Certificates used to sign publicly available apps are referred to informally as ‘rogue certificates’ as they are often not associated with the named company. There are no hard facts to confirm the manner in which these certificates originate, but the result of the initial step is that individuals will gain control of an Enterprise Certificate attributable to a corporation, usually China/HK-based. Code services are then sold quietly on Chinese language marketplaces, resulting in sometimes 5 to 10 (or more) distinct apps being signed with the same Enterprise Certificate.” We found Sungate and Mohajer Certificates were farmed out for use by multiple apps in this way.

“In my experience, Enterprise Certificate signed apps available on independent websites have not been harmful to users in a malicious sense, only in the sense that they have broken the rules,” Strafach notes. “Enterprise Certificate signed apps from these Chinese ‘helper’ tools, however, have been a mixed bag. Zoe example, in multiple cases, we have noticed such apps with additional tracking and adware code injected into the original now-repackaged app being offered.”

Porn apps like Swag openly advertise their availability on iOS

Interestingly, none of the off-limits apps we discovered asked users to install a VPN like Google Screenwise, let alone root network access like Facebook Research. TechCrunch reported this month that both apps had been paying users to snoop on their private data. But the iOS versions were banned by Apple after we exposed their policy violations, and Apple also caused chaos at Facebook and Google’s offices by temporarily shutting down their employee-only iOS apps too. The fact that these two U.S. tech giants were more aggressive about collecting user data than shady Chinese porn and gambling apps is telling. “This is a cat-and-mouse game,” Strafach concluded regarding Apple’s struggle to keep out these apps. But given the rampant abuse, it seems Apple could easily add stronger verification processes and more check-ups to the Enterprise Certificate program. Developers should have to do more to prove their apps’ connection with the Certificate holder, and Apple should regularly audit certificates to see what kind of apps they’re powering.

Back when Facebook missed Cambridge Analytica’s abuse of its app platform, Cook was asked what he’d do in Mark Zuckerberg’s shoes. “I wouldn’t be in this situation” Cook frankly replied. But if Apple can’t keep porn and casinos off iOS, perhaps Cook shouldn’t be lecturing anyone else.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Gaming

Microsoft promises Call of Duty for Nintendo consoles in surprise 10-year deal

Published

on

Aurich Lawson

Nintendo fans hoping that the ultra-popular Call of Duty series would eventually come to the Switch got an unexpected boost last night. That’s when Microsoft’s Xbox chief Phil Spencer announced that the company had reached “a 10-year commitment to bring Call of Duty to Nintendo following the merger of Microsoft and Activision Blizzard King.” The announcement comes alongside a similar announcement promising to keep Call of Duty on Steam for the same period of time.

If the “10-year commitment” part of those announcements sounds familiar, it’s probably because it’s the same length of time Microsoft has reportedly formally offered to keep the Call of Duty franchise on PlayStation consoles. That followed a September offer to keep Call of Duty on PlayStation for three additional years, which Sony called inadequate in public statements. But Spencer has gone much further in his public statements, saying in October that Microsoft would continue to ship a PlayStation Call of Duty “as long as there’s a PlayStation out there to ship to.”

Real ones remember.
Enlarge / Real ones remember.

The Nintendo announcement is significantly more surprising, though, considering that Call of Duty hasn’t appeared on a Nintendo console since Call of Duty Ghosts hit the Wii U in 2013. That game came one year after Call of Duty: Black Ops 2 became a surprise launch title for the ill-fated console.

Switching things up

From a business perspective, the bestselling Switch is a much more appealing target for Activision and/or Microsoft than the Wii U ever was. But the limited hardware power of the Switch makes Call of Duty something of an awkward fit for a series that’s always aimed for top-of-the-line presentation on modern consoles and PCs.

Then again, limited hardware power didn’t stop a series of scaled-down Call of Duty conversions for the Nintendo DS up through 2011’s Call of Duty: Modern Warfare – Defiance. Other developers have turned to streaming versions to get their high-end games available on the Switch, especially in Japan.

Modern FPS titles from Warface and Doom have seen low-res ports squeezed onto the Switch in recent years with mixed results. But persistent rumors of a more powerful “Switch 2” in the coming years would definitely make any potential Call of Duty ports less of a development lift.

<em>Doom</em> on the Nintendo Switch runs well below 1080p resolution but is still suitably creepy.
Enlarge / Doom on the Nintendo Switch runs well below 1080p resolution but is still suitably creepy.

The possibility of a Switch version of Call of Duty hasn’t exactly come out of nowhere for Microsoft. At an October Wall Street Journal Live event, Spencer said, “When I think about our plans, I’d love to see [Call of Duty] on Switch and playable on many different screens.” In practically the same breath, though, he said that “this opportunity is really about mobile” and the 3 billion potential customers who could play Call of Duty on a smartphone.

“Microsoft is committed to helping bring more games to more people—however they choose to play,” Spencer said in his Tuesday night announcement.

Continue Reading

Gaming

Two months of Intel Arc driver updates begin to fix low performance in old games

Published

on

Enlarge / Intel is talking up big performance gains in some old, but noteworthy, games.

Intel

In the run-up to the launch of Intel’s Arc graphics cards, the company emphasized for months that the cards might not perform well in games that didn’t use newer graphics APIs like Vulkan and DirectX 12. The GPUs are actually quite price-competitive with aging midrangers like Nvidia’s GeForce RTX 3060 if you’re playing newer games, but performance in older games is mixed.

For Intel Arc owners attracted to the cards’ price, salvation may come in the form of continued driver updates. Since the October launch of the A770 and A750, Intel has released a handful of driver updates, each of which has fixed specific bugs or provided small performance improvements in individual games. But in today’s beta driver release (31.0.101.3959, for those keeping track), Intel is offering a “significant” boost in older DirectX9 titles, with frame rates that can improve by as much as 80 percent.

DirectX9 was the graphics API of choice in the Windows XP era, and the Windows XP era lasted for a very long time. The API is also used in still-popular multiplayer games like Counter-Strike: Global OffensiveLeague of LegendsTeam Fortress 2, and Starcraft II, making performance improvements in DirectX9 games particularly noteworthy.

Specific performance numbers. This isn't the difference between playable and unplayable, but they might be noticeable on monitors with super-high refresh rates.
Enlarge / Specific performance numbers. This isn’t the difference between playable and unplayable, but they might be noticeable on monitors with super-high refresh rates.

Intel

Because these are pretty old games we’re talking about, these performance improvements aren’t necessary to hit 60 frames per second on the A770 (though the improvements also apply to the entry-level Arc A380 GPU, which might need the extra help. These increases will mostly benefit competitive players, for whom super-high frame rates and low response times are critical. Some of the increases from the new driver are minor, but at 1080p, Intel says Stellaris and Starcraft II frame rates improved by around 50 percent, while League of Legends improved by 37 percent and CS: Go went up by 80 percent.

Intel had previously said it was using a Microsoft-provided translation layer to support DirectX9 games. With these improvements, the company says it’s introducing a “hybrid” approach, using the D3D9On12 layer “when a better experience can be delivered” and a native implementation when it benefits performance. This makes some sense—Intel can use translation for any given 15-year-old DirectX9 PC game while providing a more optimized native implementation for the DirectX9 games that lots of people are still actually playing.

Intel will decide when to switch individual titles over to the native DirectX9 implementation rather than the translated one and will deliver those changes via driver updates along with other improvements.

Continue Reading

Gaming

Diablo IV preview: Embracing the series’ dark past and open-world future

Published

on

Enlarge / Stop, drop, and roll!

It’s not a stretch to say that the Diablo series is one of the most influential role-playing game franchises of all time. As one of the early action-focused loot games, it offered a deeply compelling and satisfying take on the classic concept of the dungeon crawl. Its many sequels advanced its foundations of rewarding character growth and addictive loot collection. The Diablo games are still well-loved today, but other titles have picked up the baton and taken the genre in new directions.

So with the upcoming Diablo IV, developer Blizzard is seeking to reinvent the classic action RPG, taking the series’ first steps into a dark open world filled to the brim with gruesome violence. While staying true to the game’s isometric action-RPG and dark fantasy roots, Diablo IV brings a more ambitious and freeform adventure, with many new ways to customize your hero as you adventure across the land.

I was able to play over 12 hours of Diablo IV’s opening act in an early beta preview of the game, which showcased its expansive open world and gave a sample of how much power a budding adventurer can attain. It’s already apparent that Diablo IV is less about providing a series of linear dungeon crawls and more about opening the player to a wider world filled with monsters to fight and loot to collect.

Embracing a dark past

Several decades after the defeat of Malthael in Diablo III, things have not improved in the world of Sanctuary. With humanity falling into despair, a desperate group of adventurers seeking loot and power summons the malevolent arch-demon Lilith, who embarks on a brutal campaign to retake the ruined world. With the land poised to plunge even further into darkness, a Barbarian, a Rogue, a Sorceress, a Druid, and a Necromancer take their first steps into Sanctuary. They team up to amass power and infamy, all in pursuit of gaining the strength to defeat Lilith and her army throughout the world of Sanctuary.

According to Diablo IV director Joe Shely, the development team felt it needed a more consistent and striking tone for their trip back to Sanctuary. “[Diablo IV] is much closer to the horror and fantasy roots than recent interactions of the IP,” Shely said during a pre-game presentation. “We want the world of Sanctuary to be scary, challenging, and engaging, but we also want it to be a place worth fighting for. The main theme of the game is ‘hatred.’ Hate will consume Sanctuary and the hearts of our characters, and we will explore its lore and its dire consequences.”

The dark tone of <em>Diablo IV</em> extends to the color palette in scenes like this.
Enlarge / The dark tone of Diablo IV extends to the color palette in scenes like this.

From the game’s opening hours, it was clear that Diablo IV is the series’ darkest and most violent entry. The bloody opening act—filled with undead monsters, human sacrifices, and lots and lots of blood—effectively sets the mood for this grim adventure. If Diablo III was akin to Peter Jackson’s director’s cut of the Lord of the Rings trilogy, Diablo IV is much more in the vein of the dark gothic horror of Bram Stoker’s Dracula.

This dark atmosphere will be familiar to anyone who remembers the first two Diablo games and their vision of a dark, gothic fantasy world. But Diablo IV’s take on the genre feels more brutal and grotesque. The violence and bleak atmosphere of the game can be a lot to take in at times, but it all connects to the more significant vision of a ruined world.

Continue Reading

Trending