Apple's iPhone privacy advertisement at CES 2019
Johnny Wen

Facebook and Google have been violating Apple’s policies, distributing apps that tracked user behavior outside Apple’s App Store, as TechCrunch reported. Apple temporarily banned Facebook and Google from running internal software, sending a strong message.

Facebook Monitored Users (With Consent)

Facebook likes to know as much as possible about its users and what they spend your time doing, both on and off Facebook. Remember, despite what it says, Facebook’s customers aren’t you (the person who uses the social network), but ad networks and other companies interested in your data. Facebook also wants to know why and when you use alternatives to the social network.

To better track what users are doing outside Facebook, the company created a volunteer program called the “Facebook Research App” that functioned as a VPN when installed on phones. The VPN sent data to Facebook, including websites visited, messages sent, photos, videos, and more. The app also required users to install a root certificate, which allowed tracking data that would typically be encrypted. Volunteers had to choose to install the app, and received $20 a month in e-gift cards

Whether or not volunteers fully understood how much data they gave away is questionable. The app did have explanations and a terms of service agreement, but, as we all know, many people don’t read past the $20 offer; they skip straight to the OK button.

Early reports suggested Facebook targeted teenagers specifically, but that seems not to be the case as the company has stated that most users were adults. Facebook also said that minors were required to request parental permission, but some testing has shown that parental verification didn’t always work as intended and it could be possible for a minor to sign up for the program without proving parent consent.

Facebook Abused an Enterprise Tool

Onavo Protect Google Play listing

Here’s the key to understanding this story: Facebook didn’t distribute this app the usual way through Apple’s App Store. Apple previously banned a similar Facebook-owned VPN app from their App Store called Onavo Protect and changed their terms of service to limit data collection to only that related directly to the app.

Facebook stepped around this problem by distributing the app outside the App Store. Sideloading an app on iPhone normally isn’t easy or straightforward to the average person, but Facebook had an advantage here. As a large company, Apple granted a special certificate allowing distribution of apps outside of Apple’s App Store. The primary purpose of this process is for testing future apps (internal betas) and corporate-access apps (such as a corporate-only social network, or a company restaurant menu system).

Apple makes it clear that these certificates are not to be handed out to the average users, and that apps built for these certificates should remain internal to the company. Apple’s TestFlight is the only Apple-sanctioned method for beta testing with users, but retains strict limits and still relies on the App Store. Despite this rule, Facebook used the certificate to install their Facebook Research app on volunteer’s phones—volunteers who did not work for Facebook.

Apple Shut Down Facebook’s Internal Apps

Because of this violation, Apple revoked the certificate that makes these internal apps work. This broke the Facebook Research app and Facebook’s internal applications, including testing, transportation, and restaurant menu apps. It isn’t clear how many employees this directly affected.

Apple’s actions did not block any Facebook apps available on the App Store, including Facebook, Messenger, and WhatsApp. Facebook has since shut down Facebook Research on iOS, but it still has a similar app on Android.

Apple reinstated Facebook’s ability to run internal apps about a day later, and all is normal again.

Google Had a Tracking App, Too

Screenwise Meter listing in Google Play Store

Google had a similar program called Screenwise Meter in place, and Google distributed it with the same certificate method on iOS. Google doesn’t seem to have monitored encrypted data. Also, the initial volunteer in a household to sign up had to be 18 or older, and then that adult could add a minor. Similar to Facebook, Google paid volunteers $20 per month for providing their data.

Apple also shut down Google’s internal iOS apps, citing the same violation of policies, and Google pulled the Screenwise Meter iOS app. Google stated that Screenwise Meter should not have been distributed this way, and Apple has also reinstated Google’s internal iOS apps.

Again, Google apps on the Apple App Store were unaffected by any of this. Google continues to offer Screenwise Meter on Android.

As far as both companies are concerned, paying users to collect this extensive data is perfectly fine. They’re not alone. If anything, compared to grocery store rewards cards, this is more transparent. It’s similar to the Nielsen company tracking TV watching habits, albeit on a larger scale.

Apple Wasn’t Happy Its Policies Were Violated

Apple wasn’t happy about how Facebook and Google circumvented its App Store policies, violating enterprise licensing rules by distributing certificates to non-employees. Facebook did all this despite a direct warning from Apple that it bars this sort of data tracking.

By disabling the companies’ internal apps, Apple sent a direct message that this behavior was unacceptable. Apple managed to send a strong signal to Facebook and Google without actually breaking the apps that normal Facebook and Google users depend on, too. You could still use Facebook’s apps on your iPhone, but employees couldn’t launch their internal apps for a day or so.

Did Apple Abuse Its Power?

This event is a reminder that Apple has control over its mobile operating system and the code that can run on it. Apple not only curates the apps allowed in the App Store but can remove and revoke access to those apps when necessary. Apple does this when malware is discovered in an app that slipped through, for example.

The company stepped in to enforce its policies, which Facebook and Google violated. Apple probably received assurances that Facebook and Google would behave in the future before reinstating their ability to run internal apps, but we don’t know what was discussed between the companies.

Apple has always run iOS as a tightly controlled “walled garden” in contrast to the “wild west” of Google’s Android and by now we all sort of know what we’re signing up for. If Apple’s control of the operating system bothers you, at least you have an alternative: Android.

But this sort of control isn’t unique to Apple. While Google doesn’t curate the Play Store directly, it can and has removed apps from the store and user’s phones. Exercising this power is something Google does sparingly, and usually to remove malicious apps to protect users, but ultimately the effect is similar.

Josh Hendrickson Josh Hendrickson
Josh Hendrickson has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smarthome enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code.
Read Full Bio »