A third-party app store that was recently discovered to offer apps to iOS users without jailbreaking their devices beforehand is still in operation. The rogue store, vShare, is using the known enterprise certificate abuse exploit to provide downloads for its own app catalog, using a technique researchers have termed the "DarkSideLoader." As the apps are not provided or vetted through Apple, the downloaded apps are a security risk for unsuspecting users.
Discovered in December
by Proofpoint, vShare's store allowed users to download an app to their devices, one that had been signed with an Enterprise App distribution certificate. Normally, these are issued by Apple to enterprises, allowing them to create their own "App Store" repository for employees and to run apps downloaded to devices. To acquire such a certificate in the first place, a third-party store can pay $300 via a credit card and go through a vetting process with Apple using legitimate or fake company details, by imitating a real company, or by stealing it from an approved entity.
After downloading the store app, users are then guided through a short process which varies depending on which version of iOS is installed to "trust" the "enterprise" app, allowing the store to open. Once trusted, users can then download and install other apps from the store without going through the trusting process. In this instance, vShare's DarkSideLoader re-signs the downloaded app with the trusted enterprise certificate, allowing it to run as a permitted app regardless of its contents.
Despite being revealed at the end of December by
Proofpoint, and reports
from CNN and
AppleInsider at the time suggesting Apple may have revoked some of vShare's certificates,
MacNN has discovered it is still able to download the vShare app, trust it, and then to download and install a game from it. Due to the ability to simply acquire more certificates and rotate them into circulation in the store, Apple may genuinely be revoking certificates, but the store is still able to use others and stay open.
The existence of third-party stores could be seen as a benefit to some users, with the promise of millions of apps to download at no charge, but it does have some significant downsides. For users, apps offered for download do not go through the same vetting process as those in the main App Store itself, which means they could include malware. Developers also stand to miss out on revenue, with users able to download free versions of paid apps. The stores themselves can earn revenue, typically with advertising, but also by potentially selling access to compromised devices.
As to the extent of vShare's reach, the store itself claims 1 million apps are available, though
Proofpoint has so far found only 15,000 for iOS, and over 400,000 on the Android version of the marketplace. Over 40 million users are claimed by vShare to use the store, with researchers believing approximately a quarter of users are doing so via an iOS device.