Tuesday, 05 February 2019 21:06

Apple Blocks Google And Facebook Enterprise Certificates

This week, Apple temporarily blocked Facebook and Google from creating and running Enterprise iOS apps meant for internal use.  Apple has since restored both of the iOS enterprise certificates. 

Facebook found itself in the crosshairs of Apple because of an app called Facebook Research, which tracked the phone usage of the company's users in a manner Apple said violated its policies. The app was able to do this because it was created through the Apple Developer Enterprise Program. A program that lets certain approved developers distribute apps within their own organizations.

Unlike with normal iOS apps, which Apple individually tests and approves prior to their release on the App Store, Apple does not test or approve apps created through its Enterprise program. This is because companies officially cannot distribute these apps outside of employees, contractors and partners, who in turn are meant to use the apps only internally or for the purpose of performing quality assurance on them prior to their official release on the App Store.

However, Facebook did not follow these rules. Instead, it reportedly paid individuals outside the company money in exchange for downloading and running Facebook Research. When Apple discovered this violation, they not only prevented Facebook from creating new Enterprise apps, but they also prevented all of Facebook's current Enterprise apps from running by revoking the certificate that lets these apps function.

Along with revoking Facebook's Enterprise certificate, Apple issued a statement that said that the Enterprise program only allows for app distribution internally within an organization and that Facebook used the program to distribute an app that collected data from consumers, and that this is a clear violation of the terms of the program agreement. Apple went on to say that any software developer that uses enterprise certificates to distribute apps outside of their organization will have their certificates revoked, and this is what happened in this particular case, so to protect both the company's users and their data.

In response to the revocation of its certification, Facebook issued its own statement. It insisted that the app was not spying on users, and as proof it cited the name of the app, which it says makes it clear what the app's intent was. The company further said that all those who used the app clearly understood what the app was doing and explicitly granted the company permission to collect the data. What's more, users received compensation in exchange for this collection. Facebook further indicated that fewer than 5% of the app users were teenagers, and those who participated did so only with explicit parental approval.

While Facebook Research is no longer available for iOS, it is still available for Android devices. Though Facebook says that it will be taking it down soon.

Apple has since restored Facebook's participation in the Enterprise program as well as its certificate. Facebook issued a statement in regards to this, saying that their Enterprise certification, which they use for internal employee applications, is again functional. They also said that they are in the process of getting these internal applications running once again, and that the interruption did not impact any of the company's "consumer-facing services."

While Facebook insists that the certificate revocation did not affect consumers, experts believe that the interruption may have affected the testing of its consumer-facing applications within the company. It also affected the use of internal iOS apps, such as the one that lets company employees utilize shuttle services around the company's campus. It has further been reported that Facebook employees during the certificate revocation could not access the company's cafeteria menus.

Facebook is not the only company that has recently violated Apple's policies for Enterprise iOS apps. Google also violated Apple's policy and likewise had its app certification temporarily revoked.

In Google's case, they reportedly asked a number of iOS users to download Screenwise Meter, which is an app only available through the Enterprise program. Unlike Facebook, though, Google admitted its mistake. It issued a statement that said their Screenwise Meter iOS app should not have been released as an Enterprise app, and that they apologize for the error. They went on to say that they have disabled the app on iOS devices and that the app was always completely voluntary. They further insisted that they had been upfront with their users about how the app uses data and that the company never had access to encrypted data in either the app or on the users' devices, and that users could have opted out of the program any time they wanted.

Like with Facebook, Apple eventually restored Google's certificate. But the upshot of this story is this: Apple is taking privacy very seriously. If they are willing to suspend the Enterprise certificates of Facebook and Google, they will do this to any company that violates its policies.