Stolen credentials are blamed for a fraudulent App Store offering — and could easily have been prevented.
If those credentials were stolen, they didn’t need to be — Apple has a strong second-factor authentication system in place to prevent account hijacking. But it was rolled out only in the last year, so many developers may not have implemented it, relying instead on the still-available, basic security system that isn’t as secure.
Microsoft doesn’t enable second-factor authentication by default, but it lets you enable that feature in your Microsoft account management page. Otherwise, it uses email to alert you to any changes made, though it will require that you enter a code sent to your email when you try to use a new computer or device for the first time to manage your account, a sort of ad hoc second-factor validation.
Android developers can also use second-factor authentication to secure their Google Play accounts, but the method is much harder to do find than with Apple and Microsoft. Even new Google Android developers are probably going with the less-secure method that Apple also long employed: a second email to send alerts about account changes.
Receiving an email that tells you someone updated your account is better than nothing, but doesn’t prevent a hijacking — it merely lets you know you’ve been hijacked. At that point, you have to wade through the automated systems at both Apple and Google to recover your accounts.
All the while, your legitimate apps’ payments may be going to someone else, and that person can use your credentials to publish fake apps and even malware. (The fraudulent apps that Phipps discovered this week have shaken my faith in Apple’s vaunted app review process. Clearly, it’s not all it’s claimed to be.)
Second-factor authentication is no cure-all, but it’s a good baseline.
Securing your Apple developer account
In Apple’s case, you register an iOS device as your second factor, so any account changes have to be validated from that device, similar to how Apple uses your iOS devices and Macs as a second-factor authenticator for changes to your iCloud account. You still have to know the first factor: your account password.
This is the same system Apple provides for all Apple IDs, not only for developer accounts, so you should also use it for your personal Apple ID. In addition, you should not use your personal Apple ID as your developer Apple ID, even with second-factor authentication in place. In case one account is compromised, why risk the other?
To set up second-factor authentication, go to the Apple ID password and security page (sign in with your user ID and password, of course). Have your iOS device at hand (I recommend using an iPhone to get verifications no matter where you are). After you sign in, click or tap the Get Started link under the Two-Step Verification heading. Follow the prompts. It’s that easy!
Apple also provides a recovery key for use if you’ve forgotten your password or lost your device, acting as a substitute factor for one of the two (but not both at the same time). I suggest you save the recovery key in a separate system, whether in iCloud Drive linked to your personal Apple ID or to a separate service like 1Password, Dropbox, Box, or Evernote that employs a different password and perhaps even user ID than your developer Apple ID.
Keep in mind that Apple will make you use the second-factor authentication every time you make an account change in the future, even from the computer or device you always use. That’s a pain, but it means a stolen MacBook can’t be used to bypass second-factor authentication requirement, as is possible with Google’s approach.
Securing your Android developer account
It’s not so easy to secure your Android dev account. You won’t find links to enabling second-factor authentication in the Play Store’s developer accounts page, for example. But Google has a second-factor account creation page; I found it via Google search, then parsing a help page that buried the link. You can skip the goose chase by using the link here. You’ll of course have to sign in with your account credentials.
Follow the prompts to set up the second-factor authentication. (You can apply second-factor authentication to any Google account, not only your developer account.)
Google’s second-factor authentication works like that of many banks: You get a text message or phone call with a one-time code that you then enter on the website from which you are trying to make an account change.
You can tell Google not to require a code from that specific browser on that specific computer in the future, so you don’t have to use the second factor every time you make a change — only when you (or someone else) tries to make a change from another device. Of course, if you disable the code requirement on a computer or device and someone steals it and knows your ID and password, you’re no longer protected by that second factor.
I strongly recommend you use a different Google account as your Android developer credentials than you use for personal Google services. That’s a pain in the Google world, I know, because Google likes to automatically use the current ID on all its services; it will even transfer calendars and so on to the current account if you let it.
Switching between Google accounts is not simple, since Google usually asks several times — and its prompts are designed in a way that you can easily but accidentally transfer your data from one account to another. (Google wants you to use one account so that it has that complete picture of you for data-mining purposes. That’s not safe for you.)
Still, given how extensively Google accounts are used by many providers’ services, they’re a big target for cyber thieves. Keeping work and personal accounts is even more important for Google account holders. It’s a necessary pain.
Securing your Microsoft developer account
Should Windows Metro apps ever take off, such as after Windows 10 is released next year, you many want to develop apps for the Microsoft Store as well.
It too has a second-factor authentication method: the Microsoft Authenticator app you can run in Android or Windows Phone or the Google Authenticator app you can run in iOS. You need to download the appropriate app to your device, sign into the Protect Your Account security management page, then click or tap the Set Up Two-Step Verification link in the Two-Step Verification part of that page.
Again, follow the prompts to select your authentication device and pair it with your Microsoft account. You’ll then need that device to confirm account changes via the authenticator app.
At the risk of sounding like broken record, I strongly urge you to use a separate Microsoft account for your development work than you do for your personal account. Note that Microsoft will by default associate your developer credentials to any Microsoft account you’re already using, so be careful not to let it do that. Be sure to sign out of your Microsoft account if you start the registration process from a personal account, then create a new one to register as a developer.