Google also abused its Apple developer certificate to collect iOS user data

It turns out that Google, like Facebook, abused its Apple Enterprise Developer Certificate to distribute a data collection app to iOS users, in direct contravention of Apple’s rules for the distribution program.

Google Apple developer certificate

Unlike Facebook, though, the company did not wait for Apple to revoke their certificate. Instead, they quickly to disabled the app on iOS devices, admitted their mistake and extended a public apology to Apple.

Google’s app

Google’s Screenwise Meter app is very similar to the Facebook Research app, although Google says that it has no access to encrypted data in apps and on devices.

Screenwise Meter was first launched in 2012 and is part of Google’s Opinion Rewards programs. Like Facebook, Google requires users to install and trust its enterprise certificate and pays users to install tracking apps on their mobile phone, web browser, router and TV. The aim is, of course, to see which apps users use, which websites they visit, and so on, so that the company can decide which products to acquire, create or improve and in which way.

“Originally, Screenwise was open to users as young as 13, just like Facebook’s Research app that’s now been shut down on iOS but remains on Android,” TechCrunch reported. Now it can be used by them only if they are “secondary panelists.

Another thing that’s different between the two apps is that Google was much more frank about the app’s capabilities and about the data it collects and how. Also, users could switch to a “guest mode” for those instances when they did not want their activity to be monitored.

Apple’s reaction

Apple’s revocation of Facebook’s Enterprise Developer Certificate came as a bit of a surprise to the public and to Facebook, who probably counted on getting just a light slap on the wrist. Instead, the company lost the ability to distribute apps through Apple’s Enterprise program and its internal iOS apps/betas stopped working.

It’s likely that this is just a temporary setback and it’s very unlikely that Apple will boot Facebook’s apps from its App Store.

Still, Apple had to be seen doing something about such an egregious effort to skirt their rules and, obviously, their threat of revoking the enterprise certificates of any developer using them to distribute apps to consumers was enough for Google to go into appeasement mode.

“The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize,” the company said. It now remains to be seen if that will be enough to avoid the same punishment, which could be very detrimental to Google’s product development and daily work flow.

The fallout

As mentioned before, Facebook employees’ day-to-day work has been made more difficult by the certificate revocation.

On the other hand, this revelation and other privacy scandals before it did not have an adverse effect on the number of users the platform musters or its financial performance.

Obviously, users are not deterred by all of these disclosures, but regulators and legislators are increasingly making noise about it.

This latest revelation has spurred US Senator Ed Markey to berate Facebook about offering teens money in exchange for their personal information when they don’t have a clear understanding of how much data they’re handing over and how sensitive it is.

“I strongly urge Facebook to immediately cease its recruitment of teens for its Research Program and explicitly prohibit minors from participating. Congress also needs to pass legislation that updates children’s online privacy rules for the 21st century. I will be reintroducing my ‘Do Not Track Kids Act’ to update the Children’s Online Privacy Protection Act by instituting key privacy safeguards for teens,” the Senator stated.

“But my concerns also extend to adult users. I am alarmed by reports that Facebook is not providing participants with complete information about the extent of the information that the company can access through this program. Consumers deserve simple and clear explanations of what data is being collected and how it being used.”

UPDATE (February 1, 2019, 01:20 AM PT):

Apple has nixed Google’s ability to distribute its internal iOS apps – the pre-release versions of regular apps and the employee-only apps – by revoking its enterprise developer certificates.

In both cases the move is temporary. Apple has already restored Facebook’s developer certificates and the company’s employees are getting back their access to internal apps. It is also working with Google on reinstating their enterprise certificates.

In the meantime, iOS developer Alex Fajkowski has pointed out that Amazon, Sonos, DoorDash and many other companies are abusing Apple’s Enterprise program in the same way.