Pirated iOS apps without jailbreaking
The operators of Chinese warez portals have found a sly way of offering pirated iOS apps for Apple devices that haven't been jailbroken. iOS normally only launches apps that have been approved and signed by Apple. Most signed apps originate from the App Store and have been permanently associated with a purchaser's Apple account using Apple's FairPlay DRM system. If the DRM protection is removed, the app's signature becomes invalid; for such a program to start, the signature check must be disabled by jailbreaking the device.
The operators of the illegal download portals appear to have chosen a bolder approach. They don't remove the DRM in the first place. Heise Security, The H's German associates, downloaded a number of test apps and found the original app buyers' plain-text names. The programs still seemed to be linked to their accounts. iOS does allow users to install apps that weren't bought via the Apple account that is associated with the device, but to do so, it is usually necessary to log in with the appropriate account.
The operators of the warez portals seem to have found a convenient way of exploiting this mechanism for their purposes. During the test, a one-time connection between the iPhone and the site's desktop client had to be established. This subsequently allowed them to initiate the installation of apps both via the client and via the warez portal's mobile version. The stolen apps can't be updated.
It is generally advisable to refrain from using such portals. Apart from the fact that the use of stolen apps is illegal, when the required connection is established, the desktop software potentially has unauthorised access to personal data such as the photos that are stored on an iOS device. It is currently unclear whether Apple will be able to prevent such pirated copies from being installed.
The installation of apps via a web site is reminiscent of the iOS Developer Enterprise Program, for which Apple allows selected business customers to sign apps in such a way that the App Store can be bypassed when the apps are installed. However, this privilege is subject to special conditions: for example, such apps must not be distributed outside of a company. Apple also says that it will check a company's identity and suitability before allowing it on the enterprise program.
Heise Security couldn't confirm the suspicions of some security experts who say that the Chinese online stores are misusing such certificates. No suspicious signatures were discovered when analysing the app. The scenario would also require a "provisioning profile" to be installed, but no such profile was found on the iPhone even after the device had been in contact with the desktop software.
In view of the developments in the Far East, app developers will probably find little comfort in the announcement that Hackulous, one of the most well-known platforms for stolen iOS apps, is closing down. Hackulous only worked on jailbroken Apple devices where the signature check was, as described above, already bypassed.