Low-Code Development

Recently there has been a number of articles making it to the news around Apple pulling Facebook and Google apps and impacting their internal operations. 

What happened?

In the cases above, organizations have been misusing their Apple Enterprise Developer certificates and providing apps to consumers bypassing the Apple store and breaking the Apple terms of service.

Apple has revoked the Enterprise certificates issued to the organizations effectively blocking all enterprise apps built by these organizations from running on any iOS devices.

How does it work?

Apple utilizes cryptography to ensure that only authorized applications can run on iOS devices.

For an app to run on an iOS device it must be signed with a certificate issued by Apple.

When an application is launched for the first time the signature is validated and if the application (or any of its frameworks) is not signed or has an issue with the certificate (expired/revoked) the application will not run.

This check also happens periodically overtime after the first launch, should a device be offline for an extended period of time applications may stop launching due to being unable to verify the validity of the certificate. Details can be found here. 

There are two developer programs 

  The main difference between the developer programs is that the Enterprise Developer provides the organization with the capability to bypass the Apple Store to distribute applications. Applications signed by a certificate for “Enterprise” distribution can run on any iOS device. 

Why does this matter?

Apple Enterprise Developer is an effective way of getting malware onto iOS devices, as these applications never go through the Apple App Store vetting process they may contain malicious code or have a number of other threats to the individual and organizational data, like the example below:

https://techcrunch.com/2019/04/08/iphone-spyware-certificate/amp/

How does Apple control the way Enterprise certificates are issued?

In order to obtain an Enterprise Developer Certificate and sign an application for “Enterprise” distribution, the developer must be a member of the Enterprise Developer program.

Apple takes a number of steps to validate the real-world identity of each developer (individual or business) for any organizations signing up for this to ensure that they are a real organization:

  • Organization must be a legal entity with 100 or more employees
  • Organization must have a DUNS number
  • Organization must have a website

All requirements are outlined here 

Both developer programs also require a fee to be paid $99 for Developer $299 for Enterprise Developer

What can I do as an organization to protect my apps and data?

To ensure that your Enterprise developer certificate does not get revoked

Follow Apple Developer ToS, do not distribute applications outside of your organization

To ensure that your users don’t install 3rd party “Enterprise” apps on their device enable the following settings via your MDM:

Disallow trusting new enterprise app authors

Disallow installing configuration profiles