When Apple banned its Onavo VPN app from its App Store last summer, Facebook took repackaged the app, named it “Facebook Research” and offered it for download through three app beta testing services, TechCrunch has discovered.
About the Facebook Research app
Facebook used the Onavo app to collect the aforementioned data of both Android and iOS users and, based on the information gleaned from it, made decisions to acquire competing apps and add popular features to their own apps.
Apple banned and removed the Onavo app because it was in direct violation of the store’s data collection policies, but Facebook’s need for information would not be denied: the new app, called “Facebook Research,” was soon after uploaded to BetaBound, uTest and Applause – but not to TestFlight, Apple’s own official beta testing system.
To use the Facebook Research app, the user is required to install a Facebook Enterprise Developer Certificate and “trust” it, so that the company can have root access to phone and usage data.
In return for all this data, the user gets $20 per month in e-gift cards, plus referral fees.
According to security expert Will Strafach, who was asked by TechCrunch to analyze the Facebook Research app, the certificate allows Facebook to access “private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.”
What data the company actually saves it’s impossible to tell.
On the Applause site, the text accompanying the app notes explains that installing and using the app means that the client (Facebook) will collect data about apps on the phone, their everyday usage, the user’s internet browsing activity and use of online services.
“There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions,” it also says.
Strafach also discovered that the collected data is routed through an IP address associated with Onavo, the app itself contains lots of code from the Onavo Protect app, the app can update itself without interacting with the App Store, and that the Enterprise Certificate used by the app was renewed on June 27th, 2018, which was soon after Apple announced it will block the Onavo Protect app.
What’s the problem?
It’s very likely that many users of the app don’t understand fully the permissions they gave Facebook.
Also, Facebook used intermediaries that often revealed the company’s involvement with the app only when users had begun the signup process, which might indicate that they were attempting to keep their efforts as low key as possible to evade scrutiny.
Finally, Apple is likely to be furious at this pretty obvious attempt to skirt their rules.
The Facebook Research app is side-loaded to the users’ devices through Apple’s enterprise certificate program and Apple’s Terms of Service require that developers use it only for distributing internal corporate apps to their own employees.
Facebook claims that the app is/was in line with Apple’s Enterprise Certificate program but, since the report went live, the company has decided to pull the iOS version of the Research app. Whether the move was prompted by a request from Apple is unknown.
“To my eyes, this action constitutes Facebook declaring war on Apple’s iOS privacy protections. I don’t think it would be out of line for Apple to revoke Facebook’s developer certificate, maybe even pull their apps from the App Store,” popular (Apple) tech columnist John Gruber noted.
“No regular developer would get away with this. Facebook is betting that their apps are too popular, that they can do what they want and Apple has to sit back and take it.”
Apple has yet to publicly offer a comment on the report and say whether it will impose any meaningful sanctions on Facebook.
UPDATE (January 30, 2019, 10:10 AM PT):
Apple has revoked Facebook’s iOS developer certificate.
“We designed out Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple,” an Apple spokesperson told CNBS.
“Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
This does not mean that Apple will be booting Facebook off the App Store, just that Facebook has lost the ability to distribute apps through Apple’s Enterprise program.
According to Alex Heath, none of Facebook’s internal iOS apps/betas – used by thousands of Facebook employees – are working on iOS devices right now because Apple revoked the company’s certificate.
This move is likely to also affect Facebook’s ability to test its apps internally before publishing them on Apple’s App Store.