Prominent as they are, Facebook and Google have entered the public eye again. This time, privacy issues discovered by TechCrunch in two separate investigations have led to them landing in hot water with Apple, distributor of the iOS operating system on their popular family of iPhone mobile devices.
Facebook’s app “Research”, and Google’s “Screenwise” app have both faced the App Store axe after it emerged that they had misused an enterprise certificate that allows companies to bypass the App Store to distribute employee-only apps internally. Both companies had capitalised on a loophole to distribute their respective apps to external users without the oversight of the tech giant.
Research and Screenwise were both designed to grant their respective companies extensive access to users’ data, some of which that could be considered sensitive. On Research, Facebook had paid its users $20 per month for the rights to the data – and it had further emerged that the company had repurposed an app banned from the App Store for the over-collection of user data just last year.
With the Research app, Apple had not only shuttered its access on the App Store, but also revoked Facebook’s ability to access the certificate allowing it access to its other employee-only applications. This means its corporate mobile functionality will be severely restricted at present.
App developers everywhere have long known of Apple’s strict standards on apps in its App Store. However, its strict stance on those belonging to even the most established of tech companies sends a huge signal that no one is invulnerable to its rule.
Apple’s enterprise certificate that allows companies to submit applications on the App Store without any oversight is intended to benefit developers seeking to expedite beta versions of their applications, skipping review and censure for its incomplete versions. However, this means that the Research and Screenwise applications had to be loaded outside of Apple’s ecosystem. By a more complicated process called “sideloading”, the user obtains access to the app, and is able to run and use the app due to the enterprise certification on part of Google and Facebook.
User data is then channelled out (with consent from users) directly to the tech giants via VPN.
While Google’s Screenwise app, intended for research, had been limited to unencrypted data, Facebook’s Research went a step further. By achieving access to the “root” level network traffic of the phone, Research was able to access all encrypted traffic, including messages and emails that did not have certificate pinning or end-to-end encryption.
The privacy concerns emerge from the fact that although users had given permission to the respective applications for access to their data, the apps in actual fact had been able to collect information of individuals these consenting app users interacted with. Images, videos, messages that were not encrypted could be accessed, particularly by Facebook’s Research app.
No user figures have been released by Apple, Google or Facebook, but numbers of affected individuals would be much higher than the actual number of downloads, as individuals who have interacted with affected users will be implicated too.
Apple’s decision to revoke the certificates to Google and Facebook have effectively resulted in pre-release versions of Facebook, Instagram and WhatsApp being made unavailable for staff to work on, but it goes deeper. Apps intended for internal collaboration have also been taken offline, like travel, catering and menu apps across the two companies. Access has since been restored.
What does it mean for end-users?
While reasonable ire has been directed toward Google and Facebook, market research applications are not new. The tech companies, however, were the first to have been put in public scrutiny for the flouting of Apple’s guidelines on internally-distribution certificates.
Apple, while ostensibly acting in public interest, were not spared from negativity. Developers, in particular, have highlighted the tech giant’s extreme power it possesses over consumer, competitor, and collaborators alike.