Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why Popcorn Time's 'jailbreak-free' iOS hack is a bad idea

Glenn Fleishman | April 10, 2015
Popcorn Time is "available" for iOS, but you won't find it in the App Store. In fact, you need Windows to install it on your iPhone or iPad..and that's just the beginning.

3d glasses popcorn time thinkstockphotos 495274907

Popcorn Time aggregates the world's supply of movies and television shows into a beautifully organized and searchable display. It relies on peer-to-peer distribution using BitTorrent. Unfortunately for all concerned, the supply it taps into comprises almost entirely pirated content.

It was well known that nearly all digital (and many digitized) television episodes and movies were available somewhere in the world, but putting a Netflix-like browsing interface on top of it that any ordinary user could access was a success. Popcorn Time quickly garnered millions of users. The main project was shut down over a year ago, but as it was open source, other versions forked from the original code.

One of them launched a beta version of Popcorn Time on April 8 that promises to bring the same experience in the desktop version and under Android to iOS. The problem is, it's a giant hack.

Slipping through security holes
Popcorn-Time.se, among the most popular forks, released iOS Installer for Windows (XP and later) to work around Apple's prohibition on arbitrary app installation. Yes, you read that right: you need a Windows system to install Popcorn Time for iOS, and have to carry out the task over USB as well.

The installer says it's jailbreak free, although there's a jailbreak option for Popcorn Time as well. Based on other reports, it looks like Popcorn Time is relying on Apple's iOS Developer Enteprise Program. This $299-per-year option allow companies to develop in-house apps that Apple never approves and can only be distributed to employees, by the program's rules.

The theoretical Masque Attack, discussed and named last November by security researchers, relied on the same developer program. Masque Attack proposed that malware could be distributed by a malicious party who could sign up for an enterprise developer account and then push out apps that would require users to accept and install an associated profile.

Wired, which communicated with the developers, reports they say they're relying on revoked and expired certificates.

So let's review what you have to do to install Popcorn Time for iOS:

  • Trust that anonymous developers, who are facilitating the access to mostly pirated content, are acting in your best interests, and avoid including malware or adware. (Some Popcorn Time forks also offer paid VPN service.)
  • Trust those developers to maintain a high level of project security to prevent malicious third parties from inserting malware.
  • Download and install a Windows program.
  • Connect an iOS device to a Windows system via USB and run the Windows software.
  • Trust a installation profile from developers who are subverting Apple's system.
  • Run an app created by those developers.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.