We’ve often mentioned how Apple devices are seen as being more secure than Android, as far less permissions are handed over to software developers who create applications for iOS (the iPhone / iPad Operating System). Conversely, Android developers are given much more creative freedom and access to deeper, darker areas of the operating system’s processes. The result is that Android smartphones can often offer app functionality that you just won’t see on the iPhone.

Take the home screen layout for example; on your iPhone, you are restricted to retaining the instantly-recognisable layout of rounded app icons, with an area reserved at the bottom of the screen for your most-used applications. You can’t change this layout, other than making small, on-rail modifications, like grouping apps into a single bucket, or changing the wallpaper. But on an Android device, you can completely customise your home screen (the ‘Launcher’) to a great extent.

And while this means that Android users can often have functionality that Apple users can’t, it does have a drawback. All this freedom can come at a cost, as Android devices are more frequently exposed to malicious firmware or viruses, unlike Apple devices that don’t usually see many breaches. All you need to do is look at one of our recent posts on compromised Android applications to see the size and scope of the problem.

What’s more, the Apple app sign-off process that developers must follow to have an application uploaded to the App Store is more stringent in some areas than Google’s Play Store for Android.

However, we can now reveal that unscrupulous software developers have managed to bypass Apple’s security measures in order to upload spoofed versions of official, popular applications to the App Store, in the hope that users will download the malicious version instead of the real deal. This breach affects some of the biggest names in the App Store, including Spotify.

 

Though the names have been altered, the brand images are copied for the spoofed app icons

 

Developers misusing ‘developer certificates’

Some of the affected applications include Spotify, Angry Birds, Minecraft, and Pokemon Go. In addition to one of the biggest music streaming services around, these other spoofed apps are some of the most popular games available on mobile at the moment. This makes the imposter applications a big risk to users picking up new devices and looking to redownload their favourite apps.

The dishonest process has been linked to a select group of app developers, whose names have been revealed as being TutuApp, Panda Helper, TweakBox, and AppValley, among others. By exploiting digital certificates, the developers in question have managed to access a select Apple program that was designed to allow large corporations to distribute their own internal applications to employees, without having to meet Apple’s stringent App Store security checks.

These digital certificates are often known as ‘developer certificates’, as they essentially provide a way for app development teams to test and distribute applications in-house for testing purposes, before a public release.

Take the Spotify spoofed app for example. One developer has released a version of the software that streams music without adverts, a service that’s typically only handed to paying members of the official streaming platform. But this faked version is offering it for free.

What you should do

This isn’t the first time that lesser-known development teams have abused developer certificates to release altered and faked versions of popular applications. It’s a constant struggle for bigger companies like Spotify and Niantic (the producer of Pokemon Go), who are constantly on the lookout for imitations of their products. Though Apple revokes the certificates of any developer abusing them, new certificates can be acquired when previous ones are lost, so it’s an ongoing battle.

And as for you, as a user, if you download a modified version of the application, you’re in violation of the terms of service of certain major apps like Spotify. So even if a third-party developer isn’t trying to inflict malicious spyware upon you and your device, you could still be at risk from using one of these unofficial applications. It could even see your device banned from any official products owned by the company.

And of course there are greater risks to be had. Though these developers seem intent on gaining simple benefits, like bypassing the Spotify adverts that appear on free tiers of the subscription service, others could target your personal information. Through the same abuse of development certificates, fake applications loaded with malware could theoretically be loaded to the Apple App Store in the same way.

It’s worth double-checking that you’ve got the correct app version when downloading one of these popular applications. And you may want to check the kids’ phones, too, since one of the biggest mobile games is on the list (Pokemon Go). If you need any more help and advice around mobile security, then get in touch with WiseGuys on 0808 123 2820 and we’ll be happy to help.