Earlier this week, our team discovered several fraudulent apps on the Apple App Store. He was able to reach one of the developers, who claimed his Apple developer credentials had been stolen, and someone else put up the fake version of Quickoffice using those credentials.
If those credentials were stolen, they didn’t need to be — Apple has a strong second-factor authentication system in place to prevent account hijacking. But it was rolled out only in the last year, so many developers may not have implemented it, relying instead on the still-available, basic security system that isn’t as secure.
Microsoft doesn’t enable second-factor authentication by default, but it lets you enable that feature in your Microsoft account management page. Otherwise, it uses email to alert you to any changes made, though it will require that you enter a code sent to your email when you try to use a new computer or device for the first time to manage your account, a sort of ad hoc second-factor validation.
Android developers can also use second-factor authentication to secure their Google Play accounts, but the method is much harder to do find than with Apple and Microsoft. Even new Google Android developers are probably going with the less-secure method that Apple also long employed: a second email to send alerts about account changes.
Receiving an email that tells you someone updated your account is better than nothing, but doesn’t prevent a hijacking — it merely lets you know you’ve been hijacked. At that point, you have to wade through the automated systems at both Apple and Google to recover your accounts.
All the while, your legitimate apps’ payments may be going to someone else, and that person can use your credentials to publish fake apps and even malware. (The fraudulent apps that Phipps discovered this week have shaken my faith in Apple’s vaunted app review process. Clearly, it’s not all it’s claimed to be)
Securing your Apple developer account
In Apple’s case, you register an iOS device as your second factor, so any account changes have to be validated from that device, similar to how Apple uses your iOS devices and Macs as a second-factor authenticator for changes to your iCloud account. You still have to know the first factor: your account password.
This is the same system Apple provides for all Apple IDs, not only for developer accounts, so you should also use it for your personal Apple ID. In addition, you should not use your personal Apple ID as your developer Apple ID, even with second-factor authentication in place. In case one account is compromised, why risk the other?
To set up second-factor authentication, go to the Apple ID password and security page (sign in with your user ID and password, of course). Have your iOS device at hand (I recommend using an iPhone to get verifications no matter where you are). After you sign in, click or tap the Get Started link under the Two-Step Verification heading. Follow the prompts. It’s that easy!