Apple vs. Facebook vs. Privacy (and Google too!)

Sometimes seems like Facebook is going out of it’s way to be scummy.

Love it or hate it, one thing Facebook has been repeatedly great at these past few years is going out of its way to get negative attention. Or, at least is seems that way sometimes.

Facebook’s Latest Shit Storm (as of Early February, 2019)

According to an article posted by TechCrunch last week, Facebook has been paying certain users from ages 13-35 to install an app on iPhones that violated both the rules of Apple’s App Store and the rules of Apple’s developer tools.

This app, called “Facebook Research” required participants to jump through several different hoops install.

Users had to download an app from a sketchy-sounding site (r.facebook-program.com), install an Enterprise Developer Certificate (which requires a few steps), a VPN, and then click a button to give the app root access. This means the user will agree to “trust” Facebook with an app that collects almost 100% of what you can do on your phone.

Seriously, the amount of potential data that this Facebook app could access is staggering:

[T]hey will have the ability to continuously collect…private messages in social media apps, chats from instant messaging app – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information.

It’s worth pointing out that this app can collect information from every other app on your phone. Because of the root-level access and installed VPN, essentially 100% of your activities on your phone are completely accessible to Facebook.

This “Facebook Research” app bears a striking resemblance to the data-sniffing app Onavo that was acquired by Facebook back in 2014 for $120 million. An article in Buzzfeed News shows that Facebook was able leverage the data collected by Onavo to see what apps were potential competitors to Facebook’s own offerings.

Onavo was ostensibly a VPN app. In theory, VPNs can help users stay anonymous online, as web traffic and data is routed from your phone (or computer) through the VPN and then out into the internet. Since Facebook owns Onavo, though, that means the traffic from your phone is routed through Facebook’s servers. That means they can see what apps you use, when you use them, where you are, etc.

Facebook used this data to see that WhatsApp was sending over 2x the messages per day as Facebook Messenger. Facebook then aquired WhatsApp for $19 billion a short time later. To say that this kind of data gives Facebook an edge over the competition would be a hilarious understatement.

Onavo was banned by Apple’s App Store for this excess (and under-disclosed) data collection in August of 2018.

Not wanting to be without this data, though, Facebook essentially copied the code from the Onavo app and created this Facebook Research app a short time later.

The Problem With Facebook Research

It should be obvious that the problem with the Facebook Research app is the sheer volume and sensitivity of the data it grabs – and that’s a big part of it.

What is also a problem, though, is that Facebook did an end-run around several of Apple’s policies:

Facebook clearly tried to get around Apple’s privacy policy by recreating the banned Onavo app under a new name.

Facebook told users how to side-load the app, using a process that is designed by Apple for beta-testing apps internally within a company.

Facebook did not register the Facebook Research app with Apple’s Testflight beta-testing service (instead using 3rd party services). Registeration with Testflight would have allowed Apple to inspect the app (and see it’s a copy of Onavo) and it would have limited the install base to only around 10,000 users total.

Facebook used their own Enterpise Certificate to validate this sideloaded app. Enterprise Certificates are only for internal use and not for any sort of commercial distribution.

Some Good News for iOS Users

One thing that is pleasantly surprising, though, is that Apple is pushing back against the Facebook Research app and Facebook itself.

Since Facebook was so blatently violating numerous policies, Apple took a pretty hard-line approach and banned Facebooks Enterprise Certifcate. Why Facebook used the same Certificate for this very dicey program and for it’s legitimate internal apps is a mystery.

In a bit of schadenfreude, it looks this caused other apps using Facebook’s certificate (betas of Instagram, WhatsApp, and Facebook, internal apps used to order food, etc.) to stop working.

While this undoutebly caused lots of headaches for Facebook employees, I can’t help but be a bit happy about it.

Android Users, Beware

It worth noting that while the level of access and data harvesting performed by Onavo got it kicked out of Apple’s App Store, the Onavo Protect app is still available in the Google Play Store.

Additionally, the Facebook Research app and program also still exists for Android.

This isn’t the only VPN app in Android that is problematic, though. According to one report, about a quarter of the top 150 VPN apps in Google’s Play Store are either sources of malware or include privacy-breaking bugs.

While the Play Store (and Android in general) is certainly much more open than Apple, that level of openness requires consumers to have increasing levels of sophistication and knowledge to keep their data and privacy safe. And, honestly, I’m not sure the average consumer has the time or inclination to keep up-to-date on things like this.

It’s unfortunate, but just having an app on the Google’s Play Store doesn’t mean it’s safe, and while Apple’s App Store also isn’t perfect, it does seem like Apple will (sometimes) operate in the best interest of customer’s data.

Updates Galore!

So a lot is happened since I wrote this on January 30th.

First, Google voluntarily (we assume) announced that they were also running an iOS program similar to Onavo/Facebook Research called Google Screenwise, and that they would end the app program immediately.

The Google Screenwise app was using Apple’s “official” beta testing program (unlike Facebook Research) but was also distributed to the public in violation of Apple’s policies.

Apple also pulled Google’s Enterprise Certificate in response to this announcement on January 31, but restored it later on Thursday.

At the same time, Apple also restored Facebook’s Enterprise Certificate, ending the almost 2-day outage of Facebook’s internal apps.

I really wish that Apple had turned the screws on Facebook a little bit more. There’s little doubt that if a “regular” developer had pulled this kind of stunt, their entire developer account (and all their apps) would be toast.

In any case, if you’re running the Facebook Onavo VPN on Android, you may want to turn it off. Likewise if you’re running any (but a handful) of other VPNs on Android or iOS.