Facebook was found to have deployed apps to track user data and usage on iOS and Android, using a VPN app called "Facebook Research.” As TechCrunch reports, this app—which paid teenagers up to $20 a month to be surveilled—had root access to network traffic to be able to track all of the users' activity. The app could collect private messages, emails, web browsing history, search history, and more as part of what Facebook calls Project Atlas, which was created with the goal of learning about new trends.
I thought I'd see how robust the parental control for Facebook's programme is. In less than five minutes I was able to sign up as a 14-year-old boy... with two kids. It required no proof of parental consent at all. I've just been sent a link to download the iOS app. pic.twitter.com/z6www8SgQJ
— Dave Lee (@DaveLeeBBC) January 30, 2019
This app wasn't available on the iOS App Store, however; it used a system called the Apple Developer Enterprise Program, which allows companies and developers to deploy apps privately. Users would download a profile to their devices which would allow the app to be installed. This is not uncommon, as many companies create apps for internal use, and don't want to distribute them on the App Store. But in order to function on iOS devices, these apps still need to be installed with a developer certificate, which in this case was Facebook’s internal enterprise certificate.
When Apple discovered what Facebook had done—which is a clear violation of Apple's developer account rules—Apple cancelled that certificate, effectively operating a kill switch to shut down the app. (Apple's iOS devices check whether an app developer's certificate has been revoked, and if it has, the app will no longer run.)
But what caused Apple to revoke Facebook's internal enterprise certificate was not the data that Facebook collected, but rather the way that Facebook had deployed the app.
An Apple spokesperson told ReCode,
“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
As a side effect of this, other apps that Facebook uses internally were rendered inoperable. This includes beta versions of apps such as Facebook, Instagram, and Messenger, and apps that Facebook employees use for such things as organizing transportation and looking up the daily lunch menu.
Facebook claims that there was nothing secret about their app, that "It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate." However, what the app did was in clear violation of Apple's terms and conditions for developers.
This follows the removal from the App Store of a Facebook-owned app called Onavo Protect in August of last year, because it violated data collection policies. The Facebook Research app seems to have been based on the Onavo Protect app.
The Washington Post pointed out that Apple has become "the tech industry's de facto privacy cop," and that its ability to shut down another company's apps on its platform may be worrisome, but that it shows “just how slow U.S. regulators' attempts to rein in Facebook have been.”
This follows an issue with Apple's FaceTime Group calls, where callers could eavesdrop on people who hadn't yet accepted calls. Apple had a bit of pie on its face because of this bug, which the company quickly mitigated by turning off this feature on its servers. But this is the same company that recently posted a huge ad in Las Vegas during the Consumer Electronic Show, stating that "What happens on your iPhone, stays on your iPhone."
Of course, the week wouldn't be complete without Google also being involved. Google also had an app that was similar to Facebook's, called Screenwise Meter, which "gave users who opted into Google’s Opinion Rewards program gift cards in exchange for tracking their internet usage data." Google, seeing Apple's reaction to Facebook's blunder, quickly killed the app and apologized:
“The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.”
Just before this article was published, it came to light that Apple had also brought down the ban hammer on Google, in spite of Google having seen the writing on the wall and self-policing preemptively. It's good to see that Apple is being consistent with its policies (in spite of the fact that Google pays Apple billions of dollars per year to be the default search engine on Apple's platforms).
Shortly afterward came a statement from Facebook to a New York Times tech reporter that Apple had restored Facebook's enterprise certificate, allowing Facebook's internal apps to start working again. (As of publication time, it's unclear whether the Facebook Research app that led to the certificate revocation is also working again, or whether it has been disabled through some other action by Facebook or Apple.)
latest on FB v Apple:
“We have had our Enterprise Certification, which enables our internal employee applications, restored. We are in the process of getting our internal apps up and running. To be clear, this didn’t have an impact on our consumer-facing services.” --FB spox
— rat king (@MikeIsaac) January 31, 2019
It's quite interesting—and some might say concerning—to note the power Apple wields in being able to terminate a major company's internal apps at the flick of a switch. It's equally interesting that, although both of the apps from Facebook and Google were of a similar "trade-privacy-for-cash" nature, the reasons Apple stated for revoking the developer certificates were (at least officially) related to the way the companies were distributing the apps to consumers, not technically because of the user privacy concerns themselves.
Facebook's and Google's publicly available App Store apps, which presumably abide by Apple's rules, remain available in the iOS App Store.
If you think this is sounding a bit like a soap opera, you're not alone. 🍿
How can I learn more?
We discuss the Facebook and Google story (which was still unfolding at the time of recording) on this week's edition of the Intego Mac Podcast, so be sure to subscribe to make sure you don't miss the latest episode. You'll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.
Egg in an egg cup image credit: Rob & Dani (CC BY 2.0 license).