and they’re not the only ones worried.
iOS and Android developers have a few ways to test their apps with real users. There’s asking your employees to use the app internally, a process known as “dogfooding,” and there’s allowing the public to beta test. The latter can be done through the App Store and Google Play store. Once beta testers have registered, they can see beta versions of the app through Apple’s Testflight program on the App Store or on the Google Play store.
Dogfooding is done differently. When you’re distributing your company’s app to your own employees, you can sidestep the App Store or Google Play entirely. To do this on iOS, you apply for Apple’s Developer Enterprise Program. For $299/year, you can distribute certificates to your employees. These certificates allow beta versions of your app, likely downloaded through HockeyApp, a Jenkins server, or some other online file storage, to run on employee devices.
Because Apple’s Developer Enterprise Program allows developers to bypass the App Store approval process, it’s highly regulated. Developers can only use it to distribute the app to employee testers. Companies cannot use the enterprise certificate program to distribute apps to non-employees. However, Facebook, Google, and others are doing this. Apple cracked down, but relented soon after. What happened and what’s next?
In This Article:
What Happens When Apple Pulls a Certificate?
When Apple pulls a company’s enterprise certificates, the lack of a certificate does not disable the company’s apps on the App Store. Regular users are not impacted. However, apps that developers distributed through the enterprise program won’t work anymore. Users will be able to download the apps, but won’t be able to run them.
Employers may do this when someone leaves the company, disabling the certificate for a single user. However, when Apple pulls the certificate, they disable the entire company. This means they won’t be able to test their own apps or use internal apps. Many large companies like Facebook and Google don’t just test apps with their enterprise certificate. They also use these certs to distribute in-house apps. Things like menus for their company cafeterias, tram schedules to get around large campuses, and other internal tools.
However, Google, Facebook, and others were also using these certificates to distribute apps to the general population. This bypassed Apple’s approval process, a clear violation of Apple’s rules. Furthermore, Facebook and Google did this because their apps were extreme privacy violations that Apple never would have approved.
What did Facebook and Google Do?
Facebook’s Infractions
Two weeks ago, TechCrunch revealed that Facebook was using a virtual private network (VPN) to spy on users. The “Facebook Research” app allowed Facebook to record all data sent to and from your phone by sitting in the middle of all of your internet requests. Facebook could view everything.
The app gave users as much as $20/month for the privilege to spy on teenagers and young adults like this. It was an extreme violation of privacy that Apple would never allow on the App Store. Facebook sidestepped Apple’s privacy rules to collect unprecedented data on internet usage using the Enterprise Developer Program.
“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
– Apple via a spokesperson speaking with TechCrunch
A Repeat of Facebook’s Previous Tactics
Facebook acquired Onovo, a VPN service, in 2013. Last year, it was uncovered that Facebook used the tool to spy on users. It was that spying that lead them to purchase WhatsApp after seeing how popular the service was. When Facebook’s extreme privacy violations were uncovered, Apple shut the app down on iOS and macOS, and Facebook voluntarily shut down their Onovo Protect service. That’s when they removed Facebook branding and released what was essentially the same app through their enterprise program.
With Facebook’s tool, they could figure out what younger users who have left Facebook for Snapchat, Instagram, TikTok, Twitter, and other services were doing. They could track people using their competition so they’d know what acquisitions to make and what features to copy.
Facebook’s spying app is still available on Android.
Google’s Violation
Google also has a similar app, though with more obvious branding. Google’s Screenwise Meter targeted users aged 18 and up. However, it also allowed children as young as 13 to use the app if they were on a family plan. Screenwise has been around since 2012, and gives users gift cards for allowing Google to spy on all of their internet activity.
“The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize.”
– Google statement to TechCrunch
Google has other tools for their Audience Measurement and Opinion Rewards programs. These include apps, browser plugins, and even routers that allow Google to spy on all user traffic. However, Google was more transparent about what they were doing, and even offered users a “guest mode” that would protect them from tracking. This way, Google wouldn’t snoop on private browsing sessions or those of children.
However, Google, like Facebook, knew Apple’s strongly held beliefs on privacy would never permit the app on the App Store. They abused Apple’s enterprise app distribution program. Google pulled their abusive apps from Apple’s services, but Apple still needed to investigate.
Apple’s Actions
Apple did exactly what they had to. They pulled Facebook’s and Google’s enterprise certificates. This disables not only their spying apps, but also internal apps. As it turns out, both companies were using Apple’s certificates for legitimate and illegitimate purposes.
Apple has reinstated Facebook’s and Google’s certificates, likely after confirming with the companies that they couldn’t use enterprise certificates to distribute apps anymore. They sent a strong message to developers that this behavior will have consequences, no matter how large your organization is. Apple flexed their muscles here, showing how much control they have over the developer environment on iOS and macOS. However, by doing so, they may have cost their developers some level of trust.
Other Companies
https://twitter.com/thefaj/status/1091087789704105984
As it turns out, Google and Facebook were not alone in this behavior. A separate report has uncovered that Amazon, DoorDash, and Sonos are using the same trick to send apps to non-employees. Apple may choose to revoke these certificates as well. Apple made an example of Google and Facebook due to extreme privacy violations in conjunction with violations to their Developer Enterprise Program. However, in order to remain consistent, they may choose to disable Amazon, DoorDash, Sonos, and other companies distributing apps in violation with Apple’s guidelines anyway.
Apple’s actions may cost them some trust with developers, but they’ll be popular with consumers. Increasingly, people are aware of privacy violations in their favorite apps and operating systems. Seeing Apple’s commitment to privacy may lead them to consistently choose iOS over Android and macOS over Windows. Developers will have to follow.
Sources:
- Apple’s Developer Enterprise Program
- Apple’s Testflight
- Josh Constine, TechCrunch, [2], [3]
- Google’s Beta Program
- Tom Warren, The Verge
- Tom Warren and Jacob Kastrenakes, The Verge
- Zack Wittaker, Josh Constine, Ingrid Lunden, TechCrunch
- Queenie Wong, CNET