How Apple's Enterprise Distribution Program was abused to enable the installation of a GameBoy emulator

There's a story making the rounds about how a GameBoy emulator can be installed on non-jailbroken iOS devices. While this initially seems surprising, it's simply the result of a company abusing Apple's iOS Developer Enterprise Program, and allow users to install much more than just one emulator.

The way Apple's normal developer program works is that, for $99/year, developers have the ability to build their apps, install them on their devices for testing, and submit them to the App Store (without a developer account you can only build apps in a simulator). Each developer account is allotted 100 slots for devices to be used for development and testing. For each unique device that a developer wishes to deploy an application to, the device's unique device identifier (UDID) has to be added to the developer's account, and devices can only be removed once a year.

The enterprise program differs in that it does not require devices to be registered with the developer's account and there is no limit to the number of devices that an application signed with an enterprise certificate can be installed on. The intended purpose of this is to allow companies to distribute apps that are only intended for in-house use. Many companies require that more than 100 devices be able to install the app, but don't want these proprietary apps available to the general public in the App Store. Because of these relaxed limitations, Apple charges more for enterprise accounts and requires companies to apply and be accepted into the program.

As you may have guessed by now, the emulator that can be installed on non-jailbroken devices is signed using an enterprise certificate. More specifically, a third party company, MacBuildServer, offers a service that you can point to any public GitHub project, and the service will build the application and sign it with their enterprise certificate (though you can provide your own certificate if you wish). Riley Testut created a Github project for a GameBoy Advanced emulator that will run on iOS. By building the project through MacBuildServer, anybody can install the enterprise-signed emulator.

If you're wondering why Apple would allow its enterprise program to be used like this, they don't. MacBuildServer's service violates the intended use of enterprise certificates and it won't be surprising if we see their developer account terminated shortly. The reason people with enterprise accounts don't usually do this isn't because nobody has thought of it before, it's because there's a very high probability that it will result in losing that enterprise account.

There's also nothing that makes this emulator particularly noteworthy (though I'm sure it's a great emulator). With access to the source code, any app can be built and installed to a device. In fact, there are a number of other emulators for iOS publicly available on GitHub. Whether it be an emulator, a tethering app, or any other app banned from the App Store, these can all normally be built and installed by somebody with a developer certificate. The fact that MacBuildServer is signing any app with their enterprise certificate means that now not only can anybody build these apps for their device, but once built, the resulting .IPA can be redistributed freely to be installed on any other device. Even if MacBuildServer's account is shut down, if Testut's GitHub repository remains public, anybody with a developer account can still install the application to their device, albeit with more complicated steps than installing an enterprise app.

Though user's should be warned, installing any app through Xcode means you're bypassing security checks that are usually performed as part of Apple's App Store review process. This type of app installation is reserved for developers for good reason. Unless you're auditing the code that you're building to a device, there's no guarantee that what you're installing is what it claims to be. Installer beware.

Update 7/17/13: The enterprise signing service no longer works. A blog post on the MacBuildServer site states that they were contacted by Apple and found to be in violation of Apple's terms. While the service will still build and sign apps, they will fail to install onto devices because the certificate has been revoked and is no longer valid.

Nick Arnott