Monday, February 22, 2016
Chinese devs abuse free Apple app-testing certs to install pirated apps
hidden features that allow users to install pirated apps on non-jailbroken
devices. Its creators took advantage of a relatively new feature that lets
iOS developers obtain free code-signing certificates for limited app
deployment and testing.
In fact, someone was recently selling code on a popular Chinese security
forum that could automatically register Apple IDs and then generate personal
development certificates for them.
"We don't know where the App Store reviewers are located," the Palo Alto
Networks researchers said. "If they are not located in mainland China, this
method could trick them into seeing a legitimate app. Even if they're in
China, the author could just shut down that webpage during the review period
so that reviewer could not see the actual functionality through an analysis
of its behavior."