Apple withdraws corporate certificate to Facebook in new privacy breach

New page in the history of the invasion of privacy by Facebook and new fight with Apple for this issue. A story that began with the release of the App Store from a Facebook VPN app called Onavo Protect in August last year (voluntarily removed by pressure from Apple) and has now jumped back into bad practices by Facebook that have led to the b (revocation) of your enterprise app developer certificate by Apple.

But as it is a complex topic we will go step by step the chronology of events to know what exactly happened and how to understand the whole history.

Onavo Protect, the beginning of everything

In 2013, Facebook bought Israeli company Onavo, which had its own VPN software that added a number of qualities and controls to the navigation of users who used it. To clarify the concept, a VPN (or virtual private network) is a protocol that allows a device to connect from the internet to a private network and move around it as if it were physically where that network is. Imagine that I have a NAS server at home: I can create a VPN network to connect to from my iPhone and access my server contents securely as if I were physically at home connected to my network via WiFi. My primary traffic is diverted from the normal internet network to that private network to which I am connected as a virtual node.

-It’s curious or ironic, but the controversy started with Facebook’s Onavo Protect utility, which helps you improve your security and privacy when you’re connected to the internet in an unsafe place like a coffee shop with open WiFi, for example-

VPNs are often used to give access to a company’s internal resources that are not published on the Internet, to allow local geo-locations to be skipped, and to use restricted apps or services there. In the case of Onavo Protect the service also offered services for the control of traffic, privacy and compression of the data you receive saving you traffic. That offered Facebook, in a feature that even appeared in February last year in the main app with a PROTECT button, which if you clicked would take you to install Onavo Protect.

Facebook’s excuse is that with its app if you’re at work using the network of it, or a public place with a WiFi network type a café and even in your home but you want to browse in a more private and controlled way, it invited you to use its app to offer you that service of protection of your browsing and privacy. Connected to them, requests to any website or service pass through their network (they deviate) so any attempt to monitor or limit your traffic is useless because only a constant connection to Onavo’s servers is seen and you wouldn’t really know where you are sailing or what you’re doing. Actually, they protect your privacy, at least in that step.

In addition Onavo offers alerts when an app makes excessive use of the data, to limit the background traffic of certain services, to know how much each app has actually spent on data consumption and, of course, offers you absolute privacy so that your more sensitive data such as keys, bank accounts or card numbers were not seen by anyone. Onavo Protect is still available on Google Play today.

-Onavo Protect is still available on Google Play as it does not violate the rules of that store, only those of the Apple App Store-

As we’ve said, Apple urged Facebook to delete the app from the App Store in August for breaking its latest review of privacy rules by claiming that the app was recording all user activity. So far it is allowed if you notify the user in detail about the data you collect and what use you are going to give it, and if the user accepts the privacy policy there is no problem. But we haven’t completed the sentence because the problem is that it collects the activity, but it also sells it to affiliates or third parties.

In fact, the app is still on Google Play because an app is allowed to collect information with the user’s permission and that information is sold to third parties. The problem, as collected by an article by Xataka in August is this text of Onavo Protect’s privacy policy:

We may use the information to provide, analyze, improve and develop new and innovative services for users, affiliates and third parties and to communicate with users, for advertising purposes and to protect and protect others.

This is not allowed by Apple (highlighted in bold) and that’s why it pressed Facebook until they deleted the app from the App Store. And if everything had stayed here, then nothing, no problem. But today it has been known that Facebook, in its coffers for data, has used Onavo’s technology for something much more serious.

Facebook Research, a VPN that is installed outside the App Store

Today, the news has been released that Facebook has been paying young people and adults ages 13 to 35 for two years to $20 a month for making their entire digital life using a research app to improve their service and learn about user usage practices.

For this they have been using the Onavo Protect app camouflaged as the Facebook Research app, to which in addition to the already discussed functionality they have added the ability to access the private records of use of iPhones and thereby extract all the information of the user rel private messages in communication apps or social networks, including photos or videos sent, emails, web searches, browsing activity and real-time device location.

And to top it off, it also requests root access to the VPN domain asking for the installation of a trusted certificate on the device, which causes any output or input data that the iPhone transmits to pass through its network mandatory, not just traffic that pr iPhone opium can divert towards the VPN protocol.

Does Apple allow you to publish such apps to the App Store? No. In fact, about 25% of the app store’s total rejections are from apps that don’t comply with store privacy rules. So how can it be published? Because he’s not. the application is installed using a certificate, this type of certificate designed so that companies can develop their own applications for internal use and that do not have to go through the App Store or any revision of Apple. A way to facilitate developments called in-house. A type of certificate that in its rules state exclusively that it can only be used to install apps on devices of company fleets or employees of it. Nothing else.

-Facebook claims to be in negotiations with Apple to get them re-granted the company certificate, as Apple has canceled all the ones they have and their own management apps have stopped working. Its internal communication apps, access to company information and even to use corporate transport have ceased to work

By making this problem public by the Techcrunch website which has made extensive analysis of Facebook’s bad practices, Apple has made official statements about it, which Wipelocker has had access to:

-We designed the Enterprise developer program only to allow internal distribution of apps within an organization. Facebook has used its subscription to distribute apps that collect user data, which is a clear gap in the agreement to use this service with Apple. Any developer who uses enterprise certificates to distribute apps to end users or consumers will encounter the revocation of their certificates, which is what we have done in this case to protect the privacy of our users and their data-

As we can read, when Apple learns about this practice what it has done is revoke the Facebook certificate: in this way, from the date of revocation, the apps signed with this certificate will stop working on the iPhones where they are installed because it will not be a valid signature that is trying to run the app.

The danger of these practices, especially with apps given to users (apart from not complying with the agreement of use and license) is that by not going through the App Store, the Facebook Research app has no restrictions and can control almost what you want. You can access the iPhone file system, services without authorization… i.e. make use of private libraries (which are strictly prohibited in the App Store) that allow you to access much more on iOS.

This practice is widespread in some areas and we have known of apps that allow you to connect more than one WhatsApp at a time on your iPhone (with different phone numbers) and that then intercept your conversations through the servers that they use to trick the use two numbers on a single device.

Installing apps with an enterprise certificate requires installing a specific configuration profile, giving permission, and authorizing you to run apps external to the App Store on iOS, and then downloading the app to your device for installation from any site. Without a doubt, something we should never do for our own safety.

There are even cases of retro console emulators or computers (whose copies of the ROM that allows them to work are protected by copyright and that’s why Apple doesn’t allow this type of software in the App Store, without the written permission of the the owner of those rights) that allow them to be installed using such a certificate. A certificate that requires the installation of a configuration profile and a trusted authorization to any program created with that certificate. A practice not recommended for our own security and privacy, as it does not become a jailbreak but we are allowing apps that have not passed the Apple review to run on our device.

Facebook, we don’t care about your privacy

Most amazing of all, they keep trying to get more and more data with the help of offering better services. Because as Techcrunch has found out, Facebook would have 3 apps in tests that would be versions of this Facebook Research app: BetaBound, uTest and Applause. Some of them with even Instagram advertising campaigns. Apps that use the same system by which the user has to authorize the Facebook certificate on their device to install the app from the web and not from the App Store.

One of them, uTest, is showing advertising even to underage users, between 13 and 17 years old, who, upon parental consent, are paid to let them collect all the information of the use of the device. On one of the pages we are informed about what this app is for:

-Installing this software, you are giving our client permission to collect data from your phone to help us understand how you browse the internet and how to use the features of the apps you have installed. This means that you allow our customer to collect information such as what apps you have on your phone, when or where you use them, data about activities and content within those apps, and how other people interact with you or your content within of those apps. You also allow our client to collect information about your internet browsing activity (including the pages you visit and the data you exchange between them and your device) and your use of other online services. There are some times when our client will collect this information even if the app uses encryption or from within secure SSL-certified sessions from the browser-

But hey, they’re offering you 20 bucks a month on a gift card for your side kicks. It’s amazing. These kinds of bad practices by companies like Facebook make us see even more clearly that we cannot sell our privacy at any price. Although in this case Facebook is being «legal» if we analyze it from a point of view of the user’s rights. They’re clearly telling you what you give them access to. The problem is that with the money trap (especially for a minor) you’re offering them data that it’s not clear that they have the right to have, such as encrypted app or browsing information.

And this brings us back to the eternal question: are we really aware of what we give or accept when we give yes to an infinite text, or do we just focus on using the service and do not know what price we pay for it with our data? We should all be more aware and not allow these kinds of practices that, for me, are clearly abusive in Facebook’s eagerness to know, mainly the market trends associated with new services that are harming them at the users level like the famous app TikTok. I don’t think everything is justified, let alone playing with the «innocence» of a user who doesn’t know what he accepts and just wants the money offered.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *