Connect with us

Gaming

Apple fails to block porn & gambling ‘Enterprise’ apps – TechCrunch

Published

on

Facebook and Google were far from the only developers openly abusing Apple’s Enterprise Certificate program meant for companies offering employee-only apps. A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple’s oversight. The developers passed Apple’s weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino’s traditional safeguards designed to keep iOS family-friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.

The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program, leading to its exploitation to circumvent App Store rules and forbidden categories. For a company whose CEO Tim Cook frequently criticizes its competitors for data misuse and policy fiascos like Facebook’s Cambridge Analytica, Apple’s failure to catch and block these porn and gambling demonstrates it has work to do itself.

Porn apps PPAV and iPorn (iP) continue to abuse Apple’s Enterprise Certificate program to sidestep the App Store’s ban on pornography. Nudity censored by TechCrunch

 

TechCrunch broke the news last week that Facebook and Google had broken the rules of Apple’s Enterprise Certificate program to distribute apps that installed VPNs or demanded root network access to collect all of a user’s traffic and phone activity for competitive intelligence. That led Apple to briefly revoke Facebook and Google’s Certificates, thereby disabling the companies’ legitimate employee-only apps, which caused office chaos.

Apple issued a fiery statement that “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” Meanwhile, dozens of prohibited apps were available for download from shady developers’ websites.

Apple offers a lookup tool for finding any business’ D-U-N-S number, allowing shady developers to forge their Enterprise Certificate application

The problem starts with Apple’s lax standards for accepting businesses to the enterprise program. The program is for companies to distribute apps only to their employees, and its policy explicitly states “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers.” Yet Apple doesn’t adequately enforce these policies.

Developers simply have to fill out an online form and pay $299 to Apple, as detailed in this guide from Calvium. The form merely asks developers to pledge they’re building an Enterprise Certificate app for internal employee-only use, that they have the legal authority to register the business, provide a D-U-N-S business ID number and have an up to date Mac. You can easily Google a business’ address details and look up their D-U-N-S ID number with a tool Apple provides. After setting up an Apple ID and agreeing to its terms of service, businesses wait one to four weeks for a phone call from Apple asking them to reconfirm they’ll only distribute apps internally and are authorized to represent their business.

With just a few lies on the phone and web plus some Googleable public information, sketchy developers can get approved for an Apple Enterprise Certificate.

Real-money gambling apps openly advertise that they have iOS versions available that abuse the Enterprise Certificate program

Given the number of policy-violating apps that are being distributed to non-employees using registrations for businesses unrelated to their apps, it’s clear that Apple needs to tighten the oversight on the Enterprise Certificate program. TechCrunch found thousands of sites offering downloads of “sideloaded” Enterprise apps, and investigating just a sample uncovered numerous abuses. Using a standard un-jailbroken iPhone. TechCrunch was able to download and verify 12 pornography and 12 real-money gambling apps over the past week that were abusing Apple’s Enterprise Certificate system to offer apps prohibited from the App Store. These apps either offered streaming or pay-per-view hardcore pornography, or allowed users to deposit, win and withdraw real money — all of which would be prohibited if the apps were distributed through the App Store.

A whole screen of prohibited sideloaded porn and gambling apps TechCrunch was able to download through the Enterprise Certificate system

In an apparent effort to step up policy enforcement in the wake of TechCrunch’s investigation into Facebook and Google’s Enterprise Certificate violations, Apple appears to have disabled some of these apps in the past few days, but many remain operational. The porn apps that we discovered which are currently functional include Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow and AVBobo, while the currently functional gambling apps include RD Poker and RiverPoker.

The Enterprise Certificates for these apps were rarely registered to company names related to their true purpose. The only example was Lucky8 for gambling. Many of the apps used innocuous names like Interprener, Mohajer International Communications, Sungate and AsianLiveTech. Yet others seemed to have forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses. Dragon Gaming was registered to U.S. gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet & Furniture Co.

You can see a full list of the policy-violating apps we found:

Apple refused to explain how these apps slipped into the Enterprise Certificate app program. It declined to say if it does any follow-up compliance audits on developers in the program or if it plans to change admission process. An Apple spokesperson did provide this statement, though, indicating it will work to shut down these apps and potentially ban the developers from building iOS products entirely:

“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

TechCrunch asked Guardian Mobile Firewall’s security expert Will Strafach to look at the apps we found and their Certificates. Strafach’s initial analysis of the apps didn’t find any glaring evidence that the apps misappropriate data, but they all do violate Apple’s Certificate policies and provide content banned from the App Store. “At the moment, I have noticed that action is slower regarding apps available from an independent website and not these easy-to-scrape app directories” that occasionally crop up offering centralized access to a plethora of sideloaded apps.

Porn app AVBobo uses an Enterprise Certificate registered to Fresno’s Chaney Cabinet & Furniture Co

Strafach explained how “A significant number of the Enterprise Certificates used to sign publicly available apps are referred to informally as ‘rogue certificates’ as they are often not associated with the named company. There are no hard facts to confirm the manner in which these certificates originate, but the result of the initial step is that individuals will gain control of an Enterprise Certificate attributable to a corporation, usually China/HK-based. Code services are then sold quietly on Chinese language marketplaces, resulting in sometimes 5 to 10 (or more) distinct apps being signed with the same Enterprise Certificate.” We found Sungate and Mohajer Certificates were farmed out for use by multiple apps in this way.

“In my experience, Enterprise Certificate signed apps available on independent websites have not been harmful to users in a malicious sense, only in the sense that they have broken the rules,” Strafach notes. “Enterprise Certificate signed apps from these Chinese ‘helper’ tools, however, have been a mixed bag. Zoe example, in multiple cases, we have noticed such apps with additional tracking and adware code injected into the original now-repackaged app being offered.”

Porn apps like Swag openly advertise their availability on iOS

Interestingly, none of the off-limits apps we discovered asked users to install a VPN like Google Screenwise, let alone root network access like Facebook Research. TechCrunch reported this month that both apps had been paying users to snoop on their private data. But the iOS versions were banned by Apple after we exposed their policy violations, and Apple also caused chaos at Facebook and Google’s offices by temporarily shutting down their employee-only iOS apps too. The fact that these two U.S. tech giants were more aggressive about collecting user data than shady Chinese porn and gambling apps is telling. “This is a cat-and-mouse game,” Strafach concluded regarding Apple’s struggle to keep out these apps. But given the rampant abuse, it seems Apple could easily add stronger verification processes and more check-ups to the Enterprise Certificate program. Developers should have to do more to prove their apps’ connection with the Certificate holder, and Apple should regularly audit certificates to see what kind of apps they’re powering.

Back when Facebook missed Cambridge Analytica’s abuse of its app platform, Cook was asked what he’d do in Mark Zuckerberg’s shoes. “I wouldn’t be in this situation” Cook frankly replied. But if Apple can’t keep porn and casinos off iOS, perhaps Cook shouldn’t be lecturing anyone else.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Gaming

The best game-exploiting speedruns of Summer Games Done Quick 2022

Published

on

Enlarge / All four of the mascots seen in this SGDQ promo image appear in various speedruns hosted over the past week.

Summer Games Done Quick

The Games Done Quick series of charity events has long been a favorite among the gaming fans and critics at Ars Technica since it combines classic, beloved video games and carefully studied methods to break them apart in search of high-speed exploits.

This year’s summertime installment is particularly special, as it’s the first in 2.5 years to take place at a physical venue—albeit with some of the most stringent masking and distancing requirements we’ve seen in a livestreamed public show in 2022. (GDQ’s organizers appear to read the news, which makes sense for a series that benefits the likes of Doctors Without Borders.) Even with precautions taken, its combination of players, commentators, and crowds in the same room has brought excitement back to its broadcasts, which is why we’re pulling together some of the best runs from the past week, as archived at GDQ’s official YouTube channel.

The event is still ongoing as of this article’s publication, which means you can watch it right now via its Twitch channel. The event’s final runs, dedicated to Elden Ring, will conclude in the late hours on Saturday, July 2.

Tunic speedrun, Summer Games Done Quick 2022

Tunic, 2022, “true ending” run

If you haven’t yet played Tunic, we recommend you pause before watching this game-breaking, spoiler-filled romp through many of its biggest secrets. (My March review of the game has far fewer spoilers.) But if you’ve already collected the game’s slew of hidden “instruction booklet” pages, consider this a must-watch, because it includes a compelling guest on real-time commentary: Andrew Shouldice, the game’s lead designer, programmer, and artist.

He’s joined by a member of the Power-Up Audio team, which worked on the game’s soundtrack, and they divulge tons of information about how the game was made—including confirmation about how many of the biggest exploits were intentionally left by the devs in the game. At one point, Shouldice watches a trick begin to play out, telling the crowd that he programmed it to be a possibility but could never personally trigger it. Moments later, the speedrunner demonstrated the trick, allowing him to warp through a wall and bypass a ton of tricky content.

Halo Infinite speedrun, Summer Games Done Quick 2022

Halo Infinite, 2021, “no tank gun” run

Many classic games’ speedruns include multiple categories, and the most broken ones are known as “any-percent” runs, since they allow players to use any tricks and skip any quests that they want. In certain games’ cases, these kinds of runs can be boring to watch, and the infamously glitchy Halo Infinite is no exception.

This speedrun begins with a demonstration of the “tank gun,” which bolts an unlimited-ammo gun to Master Chief’s feet. That’s too much assistance for speedrunners’ tastes, but this SGDQ demonstration still includes a ton of wacky tricks that combine geometry clipping and otherworldly physics exploits—all boosted by Chief’s immediate access to a new grappling hook item. Sure, the hook makes players move much faster through the world, but it also figures into a wild glitch that makes players bounce off explosive barrels in ways that defy gravity.

Thunder in Paradise speedrun, Summer Games Done Quick 2022

Thunder in Paradise, 1995, all-cutscenes run

We’re not sure whether this is GDQ’s first speedrun dedicated to a full-motion video (FMV) game, but it’s certainly one of the dumber examples of the mid-’90s CD-ROM genre. Thunder in Paradise is based on the short-lived TV series of the same name, which starred Terry “Hulk” Hogan alongside Jack Lemmon’s son as a crime-solving action duo on the beach, and it was as bad as that sounds. The video game version, relegated to the CD-I console, forces players to watch excruciatingly bad live-action footage between light gun shootout sections.

In most video game speedruns, players skip as many cinema scenes as possible, but GDQ elected to show this game’s filmed footage in its entirety while cheesing the gun gameplay parts as quickly as possible. Strap in, brother.

Continue Reading

Gaming

Cuphead expansion pack review: As good as DLC gets

Published

on

Enlarge / In the new expansion pack The Delicious Last Course, Miss Chalice makes three.

Studio MDHR

Some people will look at an expansion pack like Cuphead: The Delicious Last Course and make up their minds after a single glance. This $8 add-on’s beautiful brutality follows the same path as the original 2017 game Cuphead, a notoriously tough descendant of the Mega Man school of game design. Maybe you love playing games that are as beautiful as they are difficult. Maybe you don’t.

I’m here to talk about Last Course because I might be a lot like you. I’m not Last Course‘s target audience. I never beat the original Cuphead. I have contended that a tough game like this is easier for me to watch than it is to play. But when I saw the expansion’s hands-on demo at this month’s Summer Game Fest Play Days, I shrugged my shoulders, grabbed a gamepad, and gave it a shot. Might as well occupy myself between other scheduled game demos, I thought.

And then I fell in love. For whatever reason, the demo I played, and my subsequent completion of Last Course‘s “normal” difficulty content, grabbed me and wouldn’t let go—which is why I’m compelled to recommend picking it up.

Another island getaway—with useful new abilities

Miss Chalice can only join the battle when she tricks one of the original main characters to chomp on a magical cookie. This temporarily sends someone else to a ghost realm so that she can join in. The trio goes on a quest to bring her back to life for good, no tricky cookies required.
Enlarge / Miss Chalice can only join the battle when she tricks one of the original main characters to chomp on a magical cookie. This temporarily sends someone else to a ghost realm so that she can join in. The trio goes on a quest to bring her back to life for good, no tricky cookies required.

Studio MDHR

Like many other classic “expansion packs,” Last Course requires owning the original game (which is conveniently on sale at most digital download storefronts between this article’s publication date and July 7) and bolts new content onto Cuphead‘s 2D action foundation. The original game divided its 18 boss battles across three “islands” of content, and Last Course adds, among other things, six bosses on a brand-new island.

Miss Chalice's double-jump ability will be useful to get away from those pesky gnomes gathering at her feet.
Enlarge / Miss Chalice’s double-jump ability will be useful to get away from those pesky gnomes gathering at her feet.

Studio MDHR

It also introduces a third playable character, named Miss Chalice, and she appears when you equip a Chalice-specific “charm” on either existing character (Cuphead or Mugman). She comes with four points of health by default (compared to three points for the other characters) and three unique abilities: an invincible dodge-roll, a double-jump, and a parry dash. (The latter gives players a larger “hitbox” when attempting the game’s crucial parry maneuver, making it easier to counter enemies’ specially colored attacks.) Since she must be activated as a charm, Miss Chalice can’t equip other charms in the game, and in two-player co-op sessions, only one person can turn their character into Miss Chalice.

As I made clear earlier, I’m not a Cuphead pro, so I was delighted by the new, novice-friendly character when I first tested the game at Summer Game Fest. All of her special abilities are tuned for higher maneuverability to help you contend with the chaos that is an average Cuphead boss battle, and in addition to her extra point of health, she also has a custom “super attack” option that doesn’t do any damage. Instead, it gives her an additional, temporary point of health, and this can be regenerated during long, brutal boss fights. Once she’s unlocked, she’s available in the original campaign’s levels as well, which makes her a nifty entry point for anyone like me who never beat the original campaign.

Continue Reading

Gaming

Thanks to fans, the weirdest official Doom game is now playable on Windows

Published

on

Enlarge / A seemingly lost turn-based version of Doom RPG is now fully playable on modern Windows PCs, thanks to efforts from the Doom reverse-engineering community.

id Software

The creators of the Doom series have presented plenty of official and unofficial historical retrospectives, but these often leave out the weirdest official Doom game ever made: Doom RPG.

Even id Software’s official “Year of Doom” museum at E3 2019 left this 2005 game unchronicled. That’s a shame, because it was a phenomenal example of id once again proving itself a master of technically impressive gaming on a power-limited platform. And platforms don’t get more limited on a power or compatibility basis than the pre-iPhone wave of candy bar handsets, which Doom RPG has been locked to since its original mid-’00s launch. You may think that “turn-based Doom” sounds weird, but Doom RPG stood out as a clever and fun series twist to the first-person shooter formula.

Its abandonment to ancient phones changes today thanks to the reverse-engineering efforts of GEC.inc, a Costa Rica-based collective of at least three developers. On Wednesday, the group released a Windows port of the game based on their work on the original game’s BREW version (a Qualcomm-developed API meant for its wave of mobile phones from 2001 and beyond).

Time for T9

Forget the clunky world of ancient mobile phone platform emulation. <em>Doom RPG</em> feels way better in this week's new native port.
Enlarge / Forget the clunky world of ancient mobile phone platform emulation. Doom RPG feels way better in this week’s new native port.

id Software

GEC.inc’s freely downloadable Windows port has no copyrighted assets and won’t work without the game’s original files. (The same typically goes for other major community efforts that revolve around the reverse-engineering of classic games.) That’s where this whole thing gets tricky, as legitimate access to the game in 2022 is incredibly unlikely. Access requires owning a compatible mid-’00s phone on which the game was purchased, likely via an ancient game-sales marketplace that no longer exists, then extracting the game’s original files from that phone—and that’s assuming its original hardware is functioning and hasn’t been damaged by, say, a slowly expanding lithium-ion battery. id Software has never re-released the game outside of its original platforms (BREW, J2ME), arguably because EA Mobile got a stake in the game after acquiring original publisher Jamdat Mobile.

Whether you’re among the very few to have a preserved, working phone with a purchased copy of the game’s BREW port or you figure out another way to somehow access Doom RPG, you can dump the original game’s data into GEC.inc’s custom asset-translation executable. Ars Technica can confirm that this process is painless and leads to near-instant gameplay on Windows.

The port’s interface is admittedly barebones, made up of menus that require a keyboard to pick through, and its incompatibility with mice and touchpads is startling at first. It’s a hard crash back to the early ’00s to remember that, yes, this game was designed for T9 button arrays by default. Thankfully, the port plays nicely enough with Windows to make it easy to bind an Xinput gamepad via its default menus if you prefer a gamepad (or something like Steam Deck) over the usual WASD options.

Continue Reading

Trending