Both Facebook and Google have used Apple’s Enterprise Developer Program—which is intended for exclusive use by companies to give system administrators the ability to distribute apps to employees’ devices internally—to circumvent Apple’s app store and distribute to users applications that closely monitor users’ app, messaging, and network activity.
News of Facebook’s application was published on TechCrunch yesterday, leading Apple to revoke Facebook’s enterprise certificate. This same certificate had been used internally by Facebook for distributing beta builds of Facebook’s apps and for other needs, so the revocation poses a serious challenge for the company.
News of Google’s similar program also broke on TechCrunch, but that happened more recently, and Apple has not yet indicated whether it intends to take similar action with Google. We’ll start by unpacking the Facebook side.
Since 2016, Facebook has distributed an iOS and Android app that offers users $20 per month in gift cards for substantial access to their mobile data and usage habits. Called Facebook Research, the app was distributed on iOS outside of Apple’s App Store by Facebook. It asked users for root access for any data on their phones and allowed Facebook to track their browsing history, message contents, app usage habits, and location data. It even had the potential to allow Facebook to decrypt encrypted network traffic on users’ devices.
The app was targeted to users ages 13 to 35 (5 percent of whom were teenagers) through Instagram and Snapchat ads. It was not immediately clear in the advertisements that the program was run by Facebook, though that detail was available to users who read carefully once starting the sign-up process.
TechCrunch published a report yesterday afternoon detailing the app’s nature and history. The report noted that Facebook used Apple’s Enterprise Developer Program—which is intended for use exclusively by companies to give system administrators access to employees’ devices—to distribute the app.
Apple promptly revoked Facebook’s Enterprise Certificate yesterday evening. This had the effect not only of preventing further use of the app to collect user data but also of removing Facebook’s ability to use Apple’s Enterprise Developer Program internally. Facebook employees must now use Apple’s App Store to download the apps they have developed onto their own iPhones or iPads until the situation is resolved or a new solution is adopted. Apple’s move not only affects distribution of new apps but makes existing apps inoperable within the organization.
Google has not taken any action or made any statement regarding the app on Android. Apple provided the following statement to TechCrunch on the matter:
We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.
Facebook stated that it pulled the app voluntary after Apple had already revoked the access. The company also told TechCrunch that the app was not in violation of Apple’s policies but did not provide any explanation as to why.
It’s hard to imagine what adequate reasoning Facebook could have offered. The wording of Apple’s policy appears quite clear, per a copy of the Apple Developer Enterprise Program License agreement posted to LinkedIn by TechCrunch writer Josh Constantine. It states that the program is for “Internal Use Applications,” which the agreement defines as “a software program… that is developed by You on a custom basis for Your own business purpose” and that is “solely for internal use by Your Employees and Permitted Users.” Permitted Users is defined as “employees and contractors of Your Permitted Entity.”
The agreement does allow for “customers” to use the internal use applications, “but only on Your physical premises and/or on Your Permitted Entity’s physical premises,” or in other locations if “all such use is under the direct supervision and physical control” of the employees or contractors.
This has happened before
This is not the first time Apple has smacked Facebook’s hand away from the user data cookie jar. Facebook had previously used a VPN app called Onavo Protect to do exactly the same type of user data collection and monitoring. Facebook had promoted Onavo Protect as an app that would keep users’ personal data safe, even as it used that same app to collect users’ data. The app was promoted from within Facebook’s popular social networking iOS app as well.
In August, Apple determined that Onavo Protect was in violation of its policies, prompting Facebook to pull the app from the App Store. Apple had just updated its privacy policies in prior months to close several loopholes that allowed some apps like Onavo Protect to exist in the App Store.
The changes effectively precluded Facebook from offering the app through Apple’s App Store, but Facebook continued to collect user data through the Facebook Research app distributed via enterprise certificates. Further, TechCrunch commissioned Guardian Mobile Firewall security expert Will Strafach to examine the Facebook Research app. He found that it shared code with Onavo Protect and contained numerous references to that application and shared resources. Facebook confirmed that the two apps were supported by the same team.
Facebook avoided using TestFlight, Apple’s official test build distribution platform, to distribute the Facebook Research app. Instead, it leaned on similar third-party beta testing services like Applause.
Facebook offered a statement to TechCrunch that nitpicked perceived issues with the framing of yesterday’s story—such as any implication that the program was targeted specifically at teenagers—but it did not dispute any of the facts. This is the statement:
Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.
Google Screenwise Meter
Also a VPN, Google’s similar app is called Screenwise Meter. Like the Facebook app, it is “distributed by way of a special code and registration process using an Enterprise Certificate” after users agree to opt-in in exchange for gift cards, according to TechCrunch. Using this method, it also skips past the App Store to collect a wide range of user data.
Google uses Apple’s TestFlight solution in contrast to Facebook’s usage of Applause and other alternative services. Unlike some of the other services, TestFlight limits distribution to 10,000 users.
Google previously targeted users 13 and older but has since updated the rules to require users to be 18 years or older, though teens as young as 13 can be included if they are part of a household that is joining the program together. Additionally, Google offers a guest mode that allows you to disable tracking if a younger member of your household is using the device you’ve installed the app on.
This is only one recent iteration of Google’s Screenwise data collection program. We reported way back in 2012 that Google was paying users to track 100 percent of their Web usage using a physical hardware box called the Screenwise Data Collector.
Apple has not yet said whether it views Google’s application as a similar violation to Facebook’s or whether it will also revoke Google’s enterprise certificate. If the circumstances are indeed similar, it could pose real challenges for Google, both in terms of internal services and functions and in terms of being able to easily develop and test future versions of its apps for Apple devices.