r/jailbreak Bot Jul 25 '18

[Meta] Explanation of Signing Services and "About Moderators" Announcement Meta

Hi /r/jailbreak!

We wanted to make this post to clarify our rules on signing services and let you know about the "About Moderators" wiki page.

Signing Services

Preamble. (please read)

Let me start off by saying: we are well aware of the controversy that is generated by discussion of signing services on /r/jailbreak. Whether you're for them or against them, both sides have very good points to support their stances. We feel that this topic hasn't really been explained totally indepth, so we would like to take this time to provide a full breakdown of the situation and explain why our policies are the way they are. If you find that you disagree with our policy on these services for any reason, then please make sure to read through this entire explanation so you can hopefully better understand the rationale behind our policies. Again, you might not agree with our stance after leaving this thread, but we hope with this explanation that you at least understand why our policies are the way they are.

Introduction.

Electra was released for iOS 11.2 through iOS 11.4 beta 3. With this release came two different methods of jailbreaking. One method utilizes the "VFS" exploit, while the other one utilizes the "multi_path" exploit. The VFS version can be signed for free by anyone with an Apple ID, however the exploit in use has a relatively low success rate. Meanwhile, the multi_path version has a significantly higher success rate than the VFS version, however the exploit requires special entitlements available only to those with Developer accounts, a.k.a. Apple ID's that are enrolled in the Apple Developer Program. Therefore, the only way to use the multi_path version is to have it be signed by a developer account (which is $99 yearly). Several users have their own Developer accounts and have signed the application for their own devices, but understandably, not everyone has this luxury.

Recently, a few signing services have started to host the multi_path version of Electra which allow users to sign the multi_path version for free. This is accomplished by using an Enterprise certificate to sign and publicly distribute the application on a privately-owned website.

While we do not have any problem with users using these services on their own devices, we will not promote or allow discussion of these signing services on this subreddit.

HOWEVER. There is a way to install the application that we allow users to share. I will explain this later, but first, please read the explanation of our stance below.

Full explanation of our stance.

The means by which we justify this decision stems from the way Apple takes down content from various online hosting services, as well as the legal agreements the entity must enter in order to obtain this license and the means by which these licenses ends up in the hands of signing services.

If you take a look at the requirements to be eligible for an Enterprise certificate, you will see that the entity seeking an Enterprise certificate enters a legally-binding agreement with Apple. They must be a registered "legal entity", aka an officially-recognized business of some sort, and the process of obtaining the certificate is overall complicated. Essentially, these companies interact directly with Apple to verify their authenticity and so Apple can be sure that they are not handing out a powerful certificate to just anybody.

As mentioned, these certificates are exclusively intended for businesses whose intent is to distribute in-house applications, aka applications to their employees or business partners. However, these certificates also tend to fall into the hands of signing services by illegitimate means. We obviously are not sure of how every signing service is able to get a certificate in their own unique way, and this is not to say the services themselves are inherently malicious, but a generally known tactic involves fulfilling all the necessary requirements, signing the correct documents, and obtaining the license. Once they have the license, the business pulls a 180 and proceeds to abuse the Enterprise certificate by either selling it to someone who publicly redistributes applications (both paid and free) signed with this certificate, or even hosts the applications themselves (some businesses even change their name, business information, etc. to cover their tracks). Whether the certificate is used or sold by these businesses, this practice is not only deceptive but outright illegal; not just “piracy illegal”, illegal illegal. As moderators of a community commonly associated with the notion of illegality by the general public, we are not comfortable with allowing these services on our subreddit. Again, this is not to say that all signing services are pulling these kinds of stunts. For example, the services could be buying the certificates from somewhere else. However, the deceptive practice shown above has to happen somewhere near the top of the food chain in order for these services to get the certificate in the first place.

We have had extensive internal discussion about this topic time and time again. To be clear, our stance would be different if Apple didn't care about this kind of behavior. If Apple was fine with Enterprise certificates being used this way, then we'd be fine with it too. However, this clearly isn't the case; these businesses enter a legally-binding agreement with Apple in order to obtain this license, and if Apple catches wind that this business is abusing the program and selling the certificate or hosting signed apps on their website for public use (pirated apps or otherwise), then Apple revokes the business's certificate and kicks them out of the Enterprise program for violating the legal contract that they signed with Apple.

 

To relate this to the Electra jailbreak, a lot of users have voiced concerns on whether Enterprise-signed versions of ElectraMP should be allowed here. For the above reasons, our answer remains no. Although the app itself is not "piracy", it is still illegally signed by a company that obtained and uses the certificate in a fraudulent manner. For this reason, our rule on signing services falls in line with our piracy rules.

That being said, while we don't allow linking to the signed application on this subreddit, we understand the benefits of providing a means to obtain a safe, verified version of ElectraMP. Therefore, if you are looking for a working version of ElectraMP, please check the Discord as they will help you find it.

 

A few users have also noted that the Pangu jailbreak also used an Enterprise certificate and that we did nothing about it at the time. Truth be told, we only discovered a few months ago that using an Enterprise certificate was not allowed outside of that enterprise (or how they worked and the limitations).

You can read more about the certificate limitations here.


"About moderators" wiki page

Finally, a user suggested that we have something that lets users get to know moderators better. We decided to make a wiki page with a small amount of information on our moderators so you can get to know us a little bit better. We've also added a link to this page at the bottom of the sidebar.

If you have any information you'd like to be added to the page (within reason, no SSN's <_<), let us know!

 


As always, if you have any suggestions, please either send us a modmail or add them as a comment on this post.

/r/jailbreak mod team.

120 Upvotes

View all comments

u/Hipp013 (ง’̀-‘́)ง iPhone 12 Pro, 14.6 | iPad Pro M1, 15.4.1 Jul 25 '18 edited Jul 26 '18

edit: please hit load more comments below to see further elaboration into our explanation.


I’d like to stress the following:

While we do not allow discussion of signing services here, again, there is a way to install the ElectraMP application that users are allowed to share here.

If you want to install the application, check the Discord. If someone asks how to install it, direct them to the Discord. A specific signed version of the ElectraMP application is allowed there, and the staff and users there can help you find it.

0

u/LEL-LAL-LOL Jul 25 '18

Selling enterprise certs is not illegal. (Yes that's what they do; buy for 299 bucks and sell for way more). It's just against the terms of service in order to get that certificate.

9

u/Hipp013 (ง’̀-‘́)ง iPhone 12 Pro, 14.6 | iPad Pro M1, 15.4.1 Jul 25 '18 edited Jul 26 '18

It's just against the terms of service in order to get that certificate.

You do not sign a Terms of Service to get an Enterprise certificate. You sign a Standard License Agreement for internal usage. A Terms of Service agreement may contain the End User License Agreement, but I work in licensing and can definitively tell you that an SLA and a ToS are two totally different documents with different ramifications.

 

Selling enterprise certs is not illegal.

 

The top of the License Agreement states:

THESE TERMS AND CONDITIONS CONSTITUTE A LEGAL AGREEMENT BETWEEN YOUR COMPANY/ORGANIZATION AND APPLE.

Furthermore, under “Section 2.1 Permitted Uses and Restrictions; Program services”, it reads:

Apple hereby grants You during the Term, a limited, non-exclusive, personal, revocable, non-sublicensable and non-transferable license

...

Except as otherwise expressly permitted herein, You agree not to share, sell, resell, rent, lease, lend, or otherwise provide access to Your developer account or any services provided therewith, in whole or in part, to anyone who is not an Authorized Developer on Your team

Under "Section 3.2 Use of the Apple Software and Apple Services", it reads:

Except as otherwise set forth in this Agreement, You agree not to rent, lease, lend, upload to or host on any website or server, sell, redistribute, or sublicense the Apple Software, Apple Certificates, or any Services, in whole or in part, or to enable others to do so.

These are only a few examples. If you are interested, the entire License Agreement documentation can be found here.


late edit:

Earlier in this comment I pointed out that I work in licensing, and while no one has yet told me that they doubt that claim, I would like to elaborate on the legal ramifications of violating an SLA.

When we receive applications from potential licensees, they must go through a process of sending us samples of the products they’d like to produce under the license, provide insurance documents, and then sign the SLA, which we then ratify and send to the licensor (in the case of Enterprise licenses, the licensor would be Apple). Licensees are only allowed to produce the items for which they applied under the license, so for example, in my company’s focus, if a licensee is approved to produce a hat with a certain logo and instead produces T-shirts and mugs, they are violating their contract and subject to ramifications accordingly. There are clauses in a typical SLA for both standard and internal usage that hold the licensee liable for damages should the SLA be violated. These violations always ends in the license being revoked, but depending on the severity of the violation(s), the licensor is likely to file a lawsuit the licensee for said damages and violation(s).

So to translate that to this situation, if Apple determines that the damages as a result of the violation deem it necessary, Apple may sue the company for said damages. So no, this isn’t just a “who cares” situation. These violations can very likely have real world consequences.

-8

u/LEL-LAL-LOL Jul 25 '18

SLA, EUA, same thing. Both are license agreements aka "don't do that or i'll do this". we can break them, who cares

7

u/Hipp013 (ง’̀-‘́)ง iPhone 12 Pro, 14.6 | iPad Pro M1, 15.4.1 Jul 25 '18

who cares

You seem to not understand or care how licensing works. Either that, or you've completely missed my point or don't care to see it, so I can't continue this discussion with you.

-2

u/LEL-LAL-LOL Jul 26 '18

Either way it's illegal to share the cert, the signed apps don't have the cert in them so problem solved. They're signed with the cert but you cannot reverse an ipa to get the cert

4

u/Hipp013 (ง’̀-‘́)ง iPhone 12 Pro, 14.6 | iPad Pro M1, 15.4.1 Jul 26 '18

The SLA grants the license. The license grants the certificate to the licensee. Under the conditions set out in the SLA, the licensee is, among other requirements, obligated to only produce the products approved by the licensor (Apple) in the agreement (translation: use the certificate only for the approved applications) and to not share the licensed property (the certificate) with any unapproved entities (signing services) under any circumstance. The problem has nothing to do with the certificate being somehow extracted from an application; the problem is that the application was signed with the fraudulently transacted certificate in the first place.

With all due respect, I can tell you're just making up arguments now.

-2

u/LEL-LAL-LOL Jul 26 '18

of course I am, need to in a way or another make you understand one point "Apple doesn't care at all", if they did they would take legal action instead of revoking certificates. All my arguments meant that in different words.

You mods need to understand that nobody will do anything to the subreddit if you allow them. They've been used in many jailbreaks and nobody cared, anything happened? No.

-3

u/LEL-LAL-LOL Jul 26 '18

Plus as I said earlier breaking SLA is no different than breaking a ToS. They're both something where we click "agree"

5

u/Hipp013 (ง’̀-‘́)ง iPhone 12 Pro, 14.6 | iPad Pro M1, 15.4.1 Jul 26 '18 edited Jul 26 '18

You seem to think an SLA is just another one of those "I have read and agree to the terms of service" boxes that you check and hit enter. You don't "click agree" on an SLA. It is a big pile of pages that you print out and sign, physically and legally representing your business in the agreement.

breaking SLA is no different than breaking a ToS. They're both something where we click "agree"

Remember this statement if you ever find yourself in the business world, decide to sign a legally binding document, go against the terms laid out in the document, and then find yourself getting hunted down by the company's legal or audit team. I see it happen every day.

 

Okay. I'm calling it. It is officially impossible to discuss this with you. You flat out refuse to believe anything I say even though, must I remind you, licensing is my job; not to make it seem like I'm an expert in all things licensing, but these exact situations are what I deal with on a day to day basis.

I've not only explained several times why it matters when a company violates an SLA, but have also provided passages from the agreement explicitly stating what you can and cannot do in the bounds of the agreement. You actively choose to ignore everything I say, and while I respect your right to do so, I am done discussing this with you. Feel free to leave a reply to this comment, but do not expect a response from me.