It was revealed yesterday Facebook paid users $20 to sideload a VPN onto their devices, allowing the social network to monitor what participants aged 17 to 35 did online. Claimed to be a “social media research study,” the Facebook Research iOS app took advantage of Apple’s Enterprise Developer Certificates to allow the apps to be distributed separately from the main App Store, as well as effectively providing root access to a user’s device.
Since the discovery of the activity, The Verge reports access to early beta versions of Facebook, Instagram, Messenger, and other apps used internally are no longer able to launch on employee iPhones. The block also applies to other employee-specific apps not used by the public.
AppleInsider has been told by sources inside the company not authorized to speak on behalf of Facebook, that all the internal iOS apps used by employees are nonfunctional, including messaging, pre-release versions of consumer apps, file management, transportation facilitation, and other in-house utilities.
A statement provided by Apple to AppleInsider advises:
“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple.”
“Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
The revocation is a serious measure, as it has not only affected users who used the certificates to install the monitoring app, but also to internal tools being “dogfooded” by the company before being made public. The loss of multiple apps, including those used by employees as part of their job, is causing considerable disruption to work in Facebook, and could take a long time to rectify, if Apple permits it use of Enterprise Developer Program certificates again.
Public versions of the social network’s apps are still available to download and use, as the revocation only applies to apps using enterprise certificates, not consumer-facing variants. That said, there may still be some impact, as it will affect the development of new features that may be added to apps in the future.
The distribution of the app uses beta testing services Applause, BetaBound, and uTest, rather than taking other official routes to get the app to its intended users. The App Store has stringent guidelines relating to privacy that the app may have fallen afoul of, while TestFlight is limited to a maximum of 10,000 users.
Update Jan. 30, 3:30 p.m. Eastern Time: Sources inside Apple not authorized to speak on behalf of the company have told AppleInsider that Facebook is trying to work out some arrangement to get the enterprise development certificate restored. A perusal of social media, however, suggests that the negotiations are taking a long time, or Apple has no interest in serious discussion at the moment.
The discovery of Facebook Research and the certificate abuse is the latest privacy-related scandal to hit the company. Most prominently was the Cambridge Analytica fiasco where user data was collected and used for political purposes, triggering scrutiny from governments around the world.
A report from December claimed Facebook had made special data sharing arrangements with other tech companies, enabling Facebook to collect more data on its users generated on Apple devices, without either Apple or the users’ permission or knowledge.
That same month, Facebook admitted that as many as 6.8 million people may have been affected by a September bug that exposed more photographs than intended to third-party apps that used Facebook logins.