Certificate Wars: A Quick Rundown of Apple’s Dustup with Facebook and Google

Last week brought a media report about how Facebook was misusing its Enterprise Developer Program certificates to circumvent Apple’s App Store guidelines for a privacy-busting “research” app. Apple reacted by revoking Facebook’s enterprise certificates, which had the side effect of disabling all of Facebook’s internal apps and beta releases (see “Apple Shuts Down Facebook’s Internal Apps Due to Flagrant Policy Violations,” 30 January 2019). Then it was discovered that Google was doing much the same thing as Facebook, and Apple revoked Google’s certificates as well. Both companies quickly negotiated with Apple to have their certificates reinstated, but how did we get to the point where the tech giants are feuding so obviously?

Timeline

Here’s the order of events, which starts earlier than you might have anticipated:

• October 2013: Facebook purchases the Israeli firm Onavo, a mobile analytics company.
• 2016: Facebook begins a program that pays users between 13 and 35 up to $20 per month to install a Facebook Research app on their iOS devices. This app uses Facebook’s Enterprise Developer Program certificates so Facebook can distribute it outside of the App Store—and without any oversight from Apple. Apple expressly forbids such uses of enterprise certificates; they’re designed to allow companies to develop and distribute apps purely for internal use or limited beta testing.
• February 2018: Facebook quietly inserts a “Protect” link into its iOS app, which leads to a free app called Onavo Protect, a VPN owned by Facebook. See “Beware “Protect” In Facebook’s iOS App” (14 February 2018). This VPN effectively handed all of its users’ Internet traffic to Facebook.
• March 2018: Security researcher Will Strafach reveals that Onavo Protect for iOS can detect when the screen is on or off, total daily data usage, and VPN connection uptime.
• June 2018: Apple changes the App Store rules to ban apps that “collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing.” The change is clearly aimed at Onavo Protect and similar apps.
• August 2018: Under pressure from Apple, Facebook removes Onavo Protect from the App Store.
• 29 January 2019: TechCrunch’s Josh Constine publishes a report with details about the Facebook Research program, including its use of enterprise certificates to distribute the app without Apple’s knowledge or approval. In the article, Strafach says, “The code in this iOS app strongly indicates that it is simply a poorly re-branded build of the banned Onavo app, now using an Enterprise Certificate owned by Facebook in direct violation of Apple’s rules, allowing Facebook to distribute this app without Apple review to as many users as they want.” Strafach’s analysis of the app revealed that it could collect “private messages in social media apps, chats from in instant messaging apps–including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information.”
• 29 January 2019: 7 hours after Constine’s article appears, Facebook tells TechCrunch that it would shut down Facebook Research for iOS.
• 30 January 2019: Before Facebook can act, Apple revokes Facebook’s enterprise certificates, which has the effect of disabling the Facebook Research app. In a statement, Apple said:

We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.

• 30 January 2019: Both Bloomberg and The Verge report on the ensuing chaos inside Facebook, as iOS-using employees weren’t able to beta test public apps or use internal apps for things like transportation and lunch menus.
• 30 January 2019: TechCrunch reports that Google is running a similar program to Facebook’s, called Screenwise Meter. Google promptly apologizes, telling TechCrunch:

The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program—this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.

• 31 January 2019: Apple revokes Google’s enterprise certificates, just as it had with Facebook, causing some level of havoc within Google as well.
• 31 January 2019: Facebook Chief Operating Officer Sheryl Sandberg denies any wrongdoing in a CNBC interview, saying that participants in Facebook Research went through a “rigorous consent flow.” The interviewer manages to maintain a straight face.
• 31 January 2019: Later in the day, Apple restores both Facebook and Google’s enterprise certificates.
• 1 February 2019: Alex Heath of Cheddar reports that Facebook has notified members of its research program that it is ending the program on iOS.

Lessons

What should we take away from this brouhaha?

• An independent press is essential. Sure, we’re biased, but Facebook launched its Facebook Research app in 2016, and it was only thanks to TechCrunch’s reporting 3 years later that Apple noticed how Facebook was violating its Enterprise Developer Program contract. Kudos to Josh Constine and TechCrunch for breaking this story.
• Apple’s Enterprise Developer Program is being abused to avoid App Store rules. If companies as large as Facebook and Google decided it was acceptable to violate the program terms, you have to figure others are as well. Apple needs to seek out and crack down on such violations.
• The divide between iOS and Android has never been more stark. Apple is being a bit of a control freak here, and we’ve certainly reported on numerous instances where the company comes down disproportionately hard on innocent developers for no good reason. But the alternative is to use Android, which allows users to sideload any app and where the security level is a lot lower. Pick your poison.
• Many users don’t value privacy highly. Shannon Palus of Slate talked with some Facebook Research users, and they were generally aware of the implications. However, they had little expectation of privacy anyway, so they were willing to sell their data for a little money. That’s depressing, but in some ways, Facebook and Google paying for data is more honest than all the surreptitious tracking that both (and many other Internet marketing firms) employ on the rest of us.
• Facebook and Google are too big to fail. It took almost no time for Apple to reinstate the enterprise certificates for both companies. Would that have happened—ever—for a smaller company?

Have we seen the end of this story? All that has happened is that Apple has slapped Facebook and Google for behavior that blatantly violates agreements the companies had signed, but apart from the elimination of the Facebook Research and Screenwise Meter iOS apps, nothing else has changed.