Should I be worried about an "untrusted enterprise developer" on iOS?

Question

I have to install some apps on my personal iPhone developed by a large company. My phone warns me that they're "untrusted enterprise developer" and not the "App Store"

I must give authorisation in order to use the app, but I'm worried that Apple's private APIs may be used in the apps as they don't come from the "App Store", and I don't know what APIs will be used. So I'm worried about my personal privacy because of "private API" usage.

Is my text message, call history, photos or other information stored in the mobile phone still safe? Are the apps from "untrusted enterprise developer" as safe/private as apps from the "app store", give them the same permissions? Should I worry about the former type particularly in my using?

I was told that apps installed from Enterprise Certificates will still push authentication popups when they fetch my privacy data with private APIs, and my manual authentication is needed to permit that action. I do think this rule ensures a same security level with the apps from app store. Does the rule exists, and is my "same security level" thought right?

Answer 1

The iPhone refuses to run unsigned apps. In iOS, the primary way to distribute released apps to the public is the App Store. However, most companies don't want to distribute their internal apps for employees on the App Store, because that would mean that their internal apps are not-so-internal any more. Apps distributed via this method have to be cryptographically signed by Apple using Apple's certificate. Thus, Apple introduced Enterprise Certificates for companies to sign their own apps for installation on their employees' or their own devices.

If the person you received the app from is not your employer, you should almost certainly not install the app on your device with very few exceptions (no, "from a big company" is not one of them. If anything, it actually reduces the chance that the app is legitimate). The fact that it's being distributed using an enterprise certificate instead of through the App Store (or TestFlight, if it's a beta app) means that for some reason, the company writing the app does not want to submit it to Apple for review. Normally I'd say this could be due to cost issues, but the cost to get an Enterprise Certificate is over three times greater it costs to get an app onto the store. It's very likely then that there's some "feature" in the app that the company does not want either you or Apple to know about—which could very well be malware.

In terms of private API usage: there isn't a complete guarantee that it'll follow all restrictions, since the private APIs could theoretically grant access to data that you might not expect, since Apple didn't necessarily engineer the privacy settings to apply to private APIs since they expected only people they trust—themselves—to use it. Basically it's going to just be a risk that you'll have to decide on taking; there aren't any guarantees as to how a private API functions.

Also, if the cause was using private APIs I'd suggest that the company just distribute it by sending you an IPA and having it sideloaded using AltStore or the like, though I'd still be wary if you haven't either read the source code or have a significant amount of trust in the sender. Allowing an Enterprise Certificate onto your device comes with several security risks because it usually assumes an employer-employee relationship and thus a certain amount of trust in the certificate holder.

Answer 2

This is only a matter of trust. By using an iPhone, you trust Apple company to do the right thing, meaning both respect your privacy, and only put acceptable applications on the AppStore. And there are indeed 2 requirements: the developper must have paid their fee and the application is scanned for visible malwares.

The Trusted Entreprise Developper is an intermediate thing: the application is not scanned by Apple, but the entreprise developper has signed with Apple and has promised to respect Apple rules. By trusting that, you trust Apple to only trust reliable companies.

When you are facing an untrusted entreprise developper, that just means that the developper has not signed Apple's agreement. It may be because the company refused Apple's agreement for whatever reason yet is a reliable company with strong security practices. Or it may be a fully evil developper that deliberately wrote malwares in their apps.

The main difference is that the responsability of trust is only yours. Apple just says: I make no guarantee on this thing, use it at own risk. If you have reasons to trust that entreprise developper, because it is either your own organization, or a company you already trust, there is no particular problem and you can install the app. If you do not, then caution advises not to install the app.

AFAIK the authentication popups is a quite different thing: every developper has a unique identifier, and can only access data or other resources under that identifier, be they trusted or not by Apple, and be the app on the AppStore or not (except of course for core Apple system application: root always has full power...). iOS has a fairly good reputation when it comes to security (the underlying system is derived from BSD Unix) and AFAIK few security flaws has been found. Simply an app that can organize your photos and other images must have full access there. And you just trust all the apps using the same developper id not to steal (too much) of it...