App pirates are letting you download free versions of paid iPhone apps by taking advantage of a quirk in Apple’s iTunes approval process.
The pirated app website, vShare, even works on iPhones that aren’t “jailbroken.”
Apple goes through great lengths to control which iOS apps are allowed in its iTunes App Store. Traditionally, the only way to install an app from outside the official app store is to jailbreak your iPhone.
But vShare has figured out how to get around that, according to cybersecurity firm Proofpoint and several other researchers contacted by CNNMoney. Proofpoint researchers gave CNNMoney an exclusive look at research that it will release on Wednesday.
How vShare beats Apple security
Apple lets corporations create their own internal apps for employees. If a company pays $299 per year and joins the Apple Developer Enterprise program, its apps get a special, trusted certificate.
Those apps don’t make it to the official App Store, so they aren’t reviewed by Apple itself. But your iPhone is allowed to download them anyway, because Apple servers vouch for that certificate.
According to Proofpoint, vShare pirates managed to get their hands on several Apple enterprise certificates, using them to create a vShare app.
The vShare app is itself a portal to an app store of its own.
On vShare, the most frequently downloaded iOS apps are nearly all free, pirated versions of top paid apps on the real iTunes App Store.
It’s unclear how many times pirated copies of games like “Minecraft: Pocket Edition” or “Geometry Dash” have been illegally downloaded. But those apps have been “liked” by downloaders more than 1.4 million times. On Apple’s app store, Minecraft sells for $6.99, and Geometry Dash costs $1.99.
What is vShare?
“It’s not exactly like an Apple website, but it looks and feels like a reasonably professionally produced app store,” said Proofpoint research executive Ryan Kalember. “It’s like those Apple Stores that opened in China that look exactly like Apple Stores — but aren’t.”
On its site, vShare claims: “We respect intelligent property and devote to protect the right of authors. If you consider your right has been violated, please contact us by providing related documents. We’ll remove such contents immediately.”
CNNMoney asked vShare to explain why it offers pirated copies of apps, but the group did not respond.
The website claims it’s been in operation since 2011 and states its business depends entirely on “the trust of our users,” but the site gives no information about its operators or where it’s located.
Public Internet records say the website has been registered to someone by the name of Huang Tao in Shanghai.
Proofpoint said it noticed that vShare has been cycling through four different Apple-issued certificates to pull off its feat, and Proofpoint reported the issue to Apple.
It’s unclear if Apple has revoked vShare’s app-making certificates. Apple did not respond to requests for comment.
On Tuesday night, CNNMoney was still able to download the vShare app onto an iPhone 6 running iOS 8.4, but the app was unable to install, indicating that Apple might have already revoked at least one of its certificates.
Patrick Wardle, a researcher at cybersecurity firm Synack, described vShare as a “cat and mouse game, where new or stolen certificates are constantly being added for abuse.”
That’s puts Apple(AAPL, Tech30) in the position of playing whack-a-mole, Kalember noted. Instead, Apple would be better off ditching its current model and forcing all corporate app makers to stick to its well-guarded App Store and demand employee logins, he said.
Claud Xiao, a security researcher with Palo Alto Networks who investigated vShare last year, said most apps on vShare are straight copies — not malware. But the vShare apps are not scanned for malicious content in the way that Apple carefully scans its apps’ code. There’s nothing Apple can do to prevent apps outside its app store from infecting your iPhone.
Proofpoint has recently spotted pirated, untrustworthy apps from vShare on company-issued iPhones at a major health insurer, a life insurer and a retail chain.
The vShare website also offers pirated versions of Android apps, but this is less shocking, given that Google maintains looser controls over customer access to apps.