Apple strips Facebook of enterprise certificates after ‘Research’ app furore

Image of an angry face emoji surrounded with a sea of Facebook logos

Apple has removed an app developed by Facebook from its 'Developer Enterprise Program' (DEP) after it was being distributed to young consumers to harvest personal data in exchange for cash.

Facebook has also seen its enterprise certificate stripped as a result, with Apple accusing the social media company of breaching the terms of membership of its programme by marketing a 'Research' app to children as young as 13.

Apple's DEP allows developers to distribute beta versions of their applications to employees within their own organisations. As a result, these aren't as stringently checked and regulated as apps that appear in the public-facing App Store.

But according to a TechCrunch investigation published earlier this week, Facebook had used this channel to distribute its Research VPN (virtual private network) to consumers to absorb swathes of user data, often in exchange for cash.

The Research app also bore staggering similarities to the now-delisted Onavo Protect app, which was "voluntarily" removed this summer after Apple deemed its data collection practices to breach App Store privacy rules.

Billed to give users an additional layer of security, Onavo Protect collected swathes of personal information including users' online activity, and used these details for marketing purposes without their consent.

The two companies met face-to-face in California to discuss the app after reports emerged, and Facebook agreed to voluntarily remove Onavo Protect after Apple's demands.

Onavo Protect, repurposed

But this more lenient approach appears to have been ditched in favour of an outright ban, with Apple unimpressed that Facebook has been circumventing its guidelines with the Research app, reportedly since 2016.

The report alleged that Facebook had been paying users between 13 and 35 at least $20 per month to compromise their privacy and submit personal data, in some cases asking for screenshots of their Amazon order history page.

Facebook admitted to running the research programme, dubbed 'Project Atlas', to gather data on usage habits. Users were asked to visit 'r.facebook-program.com' and install an "Enterprise Developer Certificate and VPN" before consenting to trust Facebook with root access to their phone plus the data it transmits.

The data gathered, which also includes web browsing activity, would be used by Facebook to track its competition, judge social and behavioural trends and plan any future product releases.

Apple said in a statement to TechCrunch that it forcefully removed Facebook's app on Tuesday, following the initial investigation, despite Facebook earlier suggesting that it removed the app itself.

"We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization," a spokesperson said.

"Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data."

Because Facebook has been stripped of its certificates, a host of its internal iOS apps, used legitimately, have stopped working. This is a blow to the thousands of Facebook developers and engineers using the DEP to test new products internally.

Google quickly follows suit

While the iOS iteration has been removed, the Research VPN app, and wider research programme, is still functioning as normal on Android devices and remains available via the conventional public-facing Android store.

This comes in light of additional reports that Google had been running a near-identical research programme on iOS devices, in violation of Apple's rules, through its DEP.

This app, named Screenwise Meter, was distributed in the same way and urged users aged 18 and above, or 13 if part of a family group, to surrender their privacy in exchange for the opportunity to earn gift cards.

Google disabled the iOS version of its Screenwise Meter app following initial reports around Facebook's violations, admitting this was a "mistake", and apologising publicly, although it had been available since 2012.

"The Screenwise Meter iOS app should not have operated under Apple's developer enterprise program - this was a mistake, and we apologize," a Google spokesperson told IT Pro.

"We have disabled this app on iOS devices. This app is completely voluntary and always has been.

"We've been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time."

It is yet unclear whether Apple will inflict the same punishment on Google and strip the tech giant of its development certificates.

Facebook's pain and gain

Despite 2019 seeing Facebook engulfed by yet another privacy scandal, and several regulatory investigations, the social media giant reported record financial results for the fourth quarter of 2018.

Facebook earned record profits, and $16.91 billion in revenue in these last three months of the year, despite facing a handful of investigations under the General Data Protection Regulation (GDPR).

Moreover, ongoing investigations by parliamentarians across the world in light of the as-of-yet unresolved Cambridge Analytica and data-sharing scandals have appeared to have not at all dented its financial prospects.Facebook also estimated that around 2.7 billion people now use its 'family of services' including Instagram, WhatsApp and Messenger.

"Our community and business continue to grow," said Facebook's CEO Mark Zuckerberg.

"We've fundamentally changed how we run our company to focus on the biggest social issues, and we're investing more to build new and inspiring ways for people to connect."

IT Pro approached Apple and Facebook for comment but did not get a response at the time of publication.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.