Pixel Envy

Written by Nick Heer.

Apple Disabled a Long-Time Developer’s Account and Remotely Nuked His Apps

Charlie Monroe:

On Aug 4, 2020 I woke up to a slightly different world – I had lost my business as it seemed. Full inbox of reports about my apps not launching (crashing on launch) and after not too long I found out that when I sign into my Apple developer account I can no longer see that I would be enrolled into Apple’s developer program – au contraire – it shows a button for me to enroll, which I tried clicking, but only got a message that I can’t do that.

After more investigation, I found out that the distribution certificates were revoked. Each macOS app these days needs to be codesigned using an Apple-issued certificate so that the app will flawlessly work on all computers. When Apple revokes the certificate, it’s generally a remote kill-switch for the apps.

[…]

Fortunately, possibly thanks to the traction the story got and all the support I received from everyone (for which I am infinitely grateful), after almost 24 hours after 10PM, I got my account re-instated. Apple has called and apologized for the complications. The issue was caused by my account being erroneously flagged by automated processes as malicious and the account was put on hold.

It is shocking that a developer’s livelihood and reputation can be put on the line by automatic means. How was any of this possible? Sure, Monroe’s account could have been flagged for some reason, but many human beings should have had to look at it before taking any action. The responsibility of holding this power cannot be automated.

Apple said in an apology email to Monroe that it is “taking action to make sure this doesn’t happen in the future”, but what does that mean? Why isn’t this being communicated more broadly to developers who might reasonably be spooked by this incident?

See also Michael Tsai’s roundup of commentary.