The trick is to use enterprise developer certificates, and these pirate operations are providing modified versions of popular apps to consumers.
This means that they can stream music without ads and circumvent fees and rules in games. It also means that the app makers don’t get paid and neither does Jobs’ Mob.
Reuters, which discovered the hack, was incandescent with horror that the pirates were violating the sacred and holy rules of Apple’s developer programmes which only allow apps to be distributed to the general public through the App Store.
“Downloading modified versions violates the terms of service of almost all major apps”, Reuters snuffled.
Apparently Apple had no way of tracking the real-time distribution of these certificates, or the spread of improperly modified apps on its phones.
All it can do is cancel the certificates if it finds misuse.
However all the pirates need to do was use different certificates, who would have thunk it?
Apple said to tackle the problem it would require two-factor authentication - using a code sent to a phone as well as a password - to log into all developer accounts by the end of this month, which could help prevent certificate misuse.
Security researchers have long warned that enterprise developer certificates were a weak link in Apple’s security.
They are the centrepiece of Apple’s programme for corporate apps and enable consumers to install apps onto iPhones without Apple’s knowledge.
Last month Apple banned Facebook and Google from using enterprise certificates after they used them to distribute data-gathering apps to consumers.
The distributors of pirated apps are using certificates obtained in the name of legitimate businesses. Several pirates have impersonated a subsidiary of China Mobile. Since the App Store debuted in 2008, Apple has sought to portray the iPhone as safer than rival Android devices because Apple reviews and approves all apps distributed to the devices.