Facebook, Google sacrifice internal iOS apps just to harvest more user data

Yesterday, Apple cut off Facebook's enterprise distribution certificate after the social media giant was caught abusing it to collect user data. Google was subsequently caught doing the same thing and questions rapidly arose as to whether or not Apple would cut off Google's certificate as well. Now, it appears as though Apple has.

An Apple spokesperson gave me the following statement:

We are working together with Google to help them reinstate their enterprise certificates very quickly.

UPDATE: Both Facebook and Google spokespeople have now confirmed they've gotten their certificates restores. Now, we'll have to wait and see if any lessons have been learned.

The Verge has the background:

Apple has now shut down Google's ability to distribute its internal iOS apps, following a similar shutdown that was issued to Facebook earlier this week. A person familiar with the situation tells The Verge that early versions of Google Maps, Hangouts, Gmail, and other pre-release beta apps have stopped working today, alongside employee-only apps like a Gbus app for transportation and Google's internal cafe app."We're working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon," says a Google spokesperson in a statement to The Verge. Apple has not yet commented on the situation.

This follows the revelation by TechCrunch that Google was also violating Apple's Enterprise Distribution program to collect information from iOS users, although in a way slightly less egregious than Facebook was caught doing just the day before.

Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple, TechCrunch has learned.In its app, Google invites users aged 18 and up (or 13 if part of a family group) to download the app by way of a special code and registration process using an Enterprise Certificate.The company said in a statement to TechCrunch:"The Screenwise Meter iOS app should not have operated under Apple's developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We've been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time."

The Facebook violation, in case anyone's lost track in this whiplash of a news week, was discovered by TechCrunch just the day before:

Desperate for data on its competitors, Facebook has been secretly paying people to install a "Facebook Research" VPN that lets the company suck in all of a user's phone and web activity, similar to Facebook's Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits.

Apple then removed the certificate Facebook had been abusing. Apple's statement:

We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.

Now, it appears like Apple has done the same thing to Google's certificate.

Of course, this is getting headlined as "Apple is breaking Facebook and Google's internal apps", which to me is kinda all shades of counter-factual.

It was Facebook and Google's choice to tie these data harvesting apps to their main Enterprise distribution certificate. Apple didn't make them do that. They chose to do that and for reasons of their own choosing. (There's a theory being floated that Facebook, at least, did it intentionally on the hopes it would make Apple hesitant to take action, but it's just as likely they were dumb, lazy, or simply didn't consider it instead.)

The bottom line is, though, that if you're going to run a red light, don't do it in your work car. Because, if that work car gets impounded, and your ability to make deliveries suffers, it's nobody's fault but your own.

Now, all that remains to be seen is whether or not these are time outs or full on cut offs.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

9 Comments
  • Hmmm... Actually pretty reasonable take, RR. I acknowledge your restraint here, as I expected a much more "torches and pitchforks" piece from you. Regarding the recent events, the certificates they were using were revoked and new ones issued. The apps that shouldn’t have been running now can’t run. Apple clearly needed to take some action, mainly because of the press IMO, but I think the press ran a little over the top with the "revocation" story. No matter how some may frame things, in the end, Apple doesn't want or need ill will between two of the biggest service providers on their platform. That doesn't end well for anybody, IMO. This was resolved before it even started, really.
  • @DMP89145 And the “two of the biggest service providers” don’t want or need ill will between Apple either, the most dominant and profitable hardware platform. Some are saying Apple needs Google and Facebook more than Google and Facebook need Apple. That’s not even close to being true. Remember that iOS users actually spend money unlike the majority of Android users. And users who spend money are the lifeblood of companies like Google and Facebook as they are the target of the advertisers both companies covet. It’s a two way street.
  • Indeed, it is a two way street and it's quite balanced, IMO. All concerned parties need each other, though for different reasons. While, I take issue with the bulk of your post, I understand your overall point.
  • Something tells me if it were to come down to it, people would side with Google and Facebook services over their iPhone devices. Not all, but I imagine a majority might. But admittedly, it's a situation that wouldn't be in the best interests of anyone.
  • What's more of a concern: it was bad enough thinking people (especially teenagers) were willing to give up so much of their privacy for $20/month - now we found out that Google acolytes did it for FREE. Why are we constantly proving Agent K right: "A person is smart. People are dumb, panicky dangerous animals and you know it."
  • And it doesn’t bode well for our future. It appears most people don’t care about privacy or security until they get compromised or victimized by the lack of them. Then they scream bloody murder and want somebody to make them whole again. The most common password is still “password” you know. The future looks like it will one of total surveillance with cameras on every corner, companies tracking your every move, your habits, your purchases, your politics, your religion. Oh wait! We’re already living in that future.
  • It's important that websites actually try to help users secure their accounts, websites whose password requirements are just "six characters or more" so they actually let you just enter "password" are partially to blame, plus websites that have no option for 2FA as well. The Web Authentication API will play a big part in securing users' accounts, also known as the "end of passwords"
  • You'd be surprised how much $20 a month can mean to someone, there are more people living in poverty than you might think.
  • The lesson learned is, that Apple is a nanny and thinks it can break agreements that users went into. As long as both of these apps said what they did outright, who cares? It's a consensual agreement then.