Slashdot Mirror
Apple Says It's Banning Facebook's Research App That Collects Users' Personal Information (recode.net)
Facebook is at the center of another privacy scandal -- and this time it hasn't just angered users. It has also angered Apple. From a report: The short version: Apple says Facebook broke an agreement it made with Apple by publishing a "research" app for iPhone users that allowed the social giant to collect all kinds of personal data about those users, TechCrunch reported Tuesday. The app allowed Facebook to track users' app history, their private messages and their location data. Facebook's research effort reportedly targeted users as young as 13 years old.
As of last summer, apps that collect that kind of data are against Apple's privacy guidelines. That means Facebook couldn't make this research app available through the App Store, which would have required Apple approval. Instead, Facebook apparently took advantage of Apple's "Developer Enterprise Program," which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren't available to the general public. Update: The Verge reports: Apple has shut down Facebook's ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release "dogfood" (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore. Update 2: Apple says it shut down Facebook's app before the social company could voluntarily shut it down -- contrary to an earlier statement by Facebook, in which it said it was shutting down the app.
As of last summer, apps that collect that kind of data are against Apple's privacy guidelines. That means Facebook couldn't make this research app available through the App Store, which would have required Apple approval. Instead, Facebook apparently took advantage of Apple's "Developer Enterprise Program," which lets approved Apple partners, like Facebook, test and distribute apps specifically for their own employees. In those cases, the employees can use third-party services to download beta versions of apps that aren't available to the general public. Update: The Verge reports: Apple has shut down Facebook's ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release "dogfood" (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore. Update 2: Apple says it shut down Facebook's app before the social company could voluntarily shut it down -- contrary to an earlier statement by Facebook, in which it said it was shutting down the app.
I'm pretty sure this violates wiretapping laws in multiple states. So many people have no clue their supposedly private conversations were being monitored and recorded.
Anything associated with Facebook should be banned. Facebook is a company not interested in protecting their users they only want to exploit them for monetary gain.
How dare facebook collect and sell that info. Thats apples job.
... the worse Facebook looks.
When all you have is a ban hammer..
You make it sound as if Apple arbitrarily reached out and nuked an app. They didn’t. They nuked a app that showed a flagrant disregard for the rules that everyone had agreed to.
Facebook broke specific terms in the license that say enterprise apps are expressly disallowed from being used by customers unless they are being supervised physically by an employee or are being operated on the company’s premises. Facebook made no attempt at abiding by the rules and engaged in behavior that many people are suggesting may actually have been criminal in nature.
But hey, if you want to shill for them and blame Apple, go ahead.
When you sign up for a Enterprise account, you agree that they have this power and you wont create apps that Apple wouldnt want on their devices.
Dont like it? Go to Android.
For something this extreme, Apple should have pulled Facebook's development certificates for Facebook as a whole. Leave WhatsApp and Instagram, but Apple should have immediately revoked Facebook and pulled the
If it's a VPN, it could do all sorts of stuff, up to and including MITM attacks on apps. Facebook has done similar stuff in the past. Personally, I'm unsure where I stand on this - it was essentially a "side-loaded" app, but where does that end? I've seen some truly hinky things on my Mother-in-Law's iToy - is apple doing good by preventing side-loads of almost-malware, or just opening themselves up for a lawsuit when they don't catch all of it?
The other fun question: so Facebook paid kids for their information, by installing that app. Minors are incapable of entering into contracts - so will there be a pull-out-some-popcorn lawsuit against Facebook?
You're not using Facebook, you work for Facebook. Spread that message to others, please.
Politics; n. : A religion whereby man is god.
Maybe the powers that be will finally take notice and start regulating privacy and big data. But more than likely, nothing will become of this. At least Apple slapped down Facebook like a mosquito.
I am going say Bad Apple on this one. As I stated on the other article I am not sure that this app really could do a lot of the things that are being claimed. Terrible for privacy sure, but apps implementing ATS and other best practices should still have been secure.
So now we have Apple essentially ban hammering an application outside the app store. Think about that. If you have an enterprise, and your write an application, to run on devices you have purchased; Apple might still come along and disable it; if they don't like you or it!
This isn't really good for users, this is really anti-freedom/anti-ownership type action here. Just because it might protect a few dolts from malicious actors like facebook, does not automatically make it good.
Uhhh do you know how Apple devices work? The people installing this app basically gave Facebook enterprise control of their devices. This means that Facebook had access to EVERYTHING. Installed apps, text messages, call history, location data, etc is all available to an enterprise owner of a device. This is why you should not use BYOD with your personal phone if the employer requires enterprise provisioning of the device. And most people, including yourself it seems, are unaware that such a capability exists and would not stop to consider the consequences of their actions. Apple ought to revoke all of Facebooks apps and development accounts over this but we know that won’t happen because Facebook will just pay to make this little sin go away.
I expect you just hate Apple because they are Apple.
However, this is a case where this Enterprise Developer Program which was given to trusted sources, and I expect were told to play by the rules, with their elevated rights and freedom, which Facebook abused.
It is like you welcomed a friend into you home. They are allowed to get some food out of the fridge if they were hungry or thirsty. They took the dessert you had made for after dinner, and it was rather obvious that was its intent. So this person abused the privilege they were granted, and you have the right to kick them out of your house or not invite them back in again.
From Star Trek VI: Let us redefine progress to mean that just because we can do a thing, it does not necessarily mean we must do that thing.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Mod clearly didn't understand what Facebook meant. It's stated quite clearly on page 393, sub PH69.1337. Facebook reserves the right to your network, your friends networks, your employer, your child and her teddy bear. Look for the reference to Pediatric Enrichment Developer Operator file (which you must also follow).
.. everything looks like a confederate flag.
Note: I have not read Apple's TOS for their enterprise application deployment.
If it is the case that Apple's enterprise application deployment license dictates that it's only to be used by employees or those being directly supervised by an employee, then, it's certainly fine for apple to ban this application for its flagrant disregard for their own terms. They want to control distribution of apps to the public through their app store, but allow for private distribution within enterprises. Facebook agreed to not try to go around this, but did so anyways.
...that collects user's data and sells it to third parties?
It's called Facebook.
These certificates can give complete access to everything on your phone. They can allow Facebook to read their text messages, view all their photos, see all their phone calls, etc. All depends on the permissions certificate requested at install. My company requires such a certificate installed in order to have email within the Mail app (can still access it via webmail instead), which is why I don't bother having it on my personal phone. I'm not giving them that kind of access.
I am going say Bad Apple on this one.
And you are absolutely completely wrong on this.
Apple has an "Enterprise Developer" program that lets companies joining the program develop applications that they can download without any review by Apple to the phones owned by the enterprise. There is absolutely no permission to give these applications to anyone outside the company. The terms and conditions, which are in a contract signed by FaceBook, state very, very clearly that FaceBook had no permission to do what they did, and that violation of the terms means that Apple will kill any applications using the Enterprise Development Certificate.
Usually this happens when a rogue employee steals the certificate and uses it to distribute usually malware. That malware gets nuked as soon as Apple finds out. In this case it was the company (Facebook) itself producing malware, so it gets nuked.
Just like the previous version, an official "VPN" app, that secretly tracked everything that users of that VPN app were doing.
So now we have Apple essentially ban hammering an application outside the app store. Think about that. If you have an enterprise, and your write an application, to run on devices you have purchased; Apple might still come along and disable it; if they don't like you or it!
F***ing nonsense. The whole point is that they _didn't_ run the app on devices that FaceBook purchased.
How about banning the apps which use Facebook services without the knowledge of the user?
I'm sorry but you are factually wrong on it being an overreach by Apple.
Apple's terms expressly allow certain use of their Enterprise certificates by developers, everything else not stated in the T&Cs is forbidden. Facebook broke the conditions set out in the T&Cs by distributing the app outside of its employees (not covered by any of the exceptions).
Apple have every right to revoke the app and would be within their rights to terminate the developer full stop (but obviously that won't happen in this case). So this is pretty much the least they can do without doing nothing. And given how well facebook is digging their own hole with the number of privacy violations that are constantly coming to light, Apple definitely don't want to be anywhere near that train wreck.
Enterprise distribution requires a license and while apple does allow you certain ability to use undocumented APIs to do things that would not be allowed in the App Store there are still limits. Additionally enterprise distribution is for exactly that, enterprise, not distributing apps to the general public so that you can undermine the protections people assume are in place thanks to the App Store and get at their data.
If a company wants to do this with their employees devices thats one thing, distributing to the world at large is another thing. Enterprise distribution is there for a reason.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
When you sign up for the enterprise program you agree to certain terms. Facebook violated those terms by making an app for general distribution outside the App Store to non-employees. The enterprise program is supposed to be used for making applications for your own employees/devices.
So Facebook completely ignored the terms of the license they agreed to when purchasing the enterprise program. Even when you develop using the enterprise program you still have to register the certificate of your application through Apple's servers and the end user has to accept the developer's certificate on their iOS device.
Just from a contract perspective Apple has every right to remove Facebook's app. Technically Facebook could even lose access to the entire enterprise.
In all likelihood the people installing this Facebook VPN had no idea what they were handing over to Facebook. Or that Facebook is not a brand you should really trust. So I'm ok with Apple acting as the cops in this case. They've done a good job so far in keeping my parents, sister, nieces/nephews, in-laws, etc... from doing really stupid things with their phones which contains almost every facet of their life including banking information.
Wait, so you're arguing that it's okay and legal for Apple to control not just the app store, but to censor any app, at all, that it finds offensive. The Apple T&C allow apple to ban anything that might be considered politically incorrect. Read them.
Facebook is a slimy shitshow, but it's no different than Apple.
Do you blame him when youâ(TM)re unable to maintain an erection too?
Apple's terms expressly allow certain use of their Enterprise certificates by developers, everything else not stated in the T&Cs is forbidden. Facebook broke the conditions set out in the T&Cs by distributing the app outside of its employees (not covered by any of the exceptions).
Apple have every right to revoke the app and would be within their rights to terminate the developer full stop (but obviously that won't happen in this case).
The app was deliberately used to grossly violate user's rights. Seems to me that, if Apple does NOT terminate Facebook's license, and Facebook does it again, this could be used to argue that Apple is both civilly (user suits) and criminally (aiding and abetting violation of any of a number of anti-cracking laws) liable.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Except, every user should be able to install software from anywhere they want, and it should NOT be Apple's place to decide what software can be distributed and executed. Facebook is shit, but Apple is the true evil here. Let the fucking users decide what they want ot run and get out of the way. We dont need Tim Cook to 'save' us.
Good-bye
Yes, but this app was explicitly created for people to PAY PEOPLE to provide all their browsing history.
The app's description is literally "we pay you so we can analyze your behaviours". If the user wasn't cool with this, they wouldn't have installed it. If they weren't forthcoming about the description of this app, then I'd be in total agreement with you.
Well, he's incorrect. FB doesn't have to purchase the devices they install their app on.
We were forced to buy our own idevices for the business I'm in, and the company gets us to install the MDM and company app.
As any other company, I'd be freaking out if my enterprise app was based in i devices right now. Not only did people who voluntarily gave up their information for money, your enterprise app could be pulled for any reason at any time.
This seems like the first time any entity has done anything of significance to try to hold Facebook accountable. Only when Facebook faces consequences for all their bad actions will they start behaving. If only someone could force Mark Zuckerberg to step down, go to prison, etc.
I am not defending facebook at all. I am just saying this a bit of an over-reach on the part of Apple I think.
What exactly do you think the appropriate response should be in dealing with what you term a "malicious actor?"
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
If you have examples of where Apple has done other times, provide them. In this specific case, there is no question that Facebook has violated multiple Terms of Services with Apple. From a different viewpoint, it also exposes Apple in terms of liability. What would you do if you had a customer that used your platform for potentially illegal activities?
Well, there's spam egg sausage and spam, that's not got much spam in it.
Don Trump? Head of the Trump crime family?
What's he gonna do, wage a campaign from his jail cell? What for, Tightest Asshole in Cellblock C?
Or is he just going to be forthright about it, this time - Putin/Trump 2020 - Pretty Please, Vote for Me Again. I Depserately Don't Want to Suffer The Embarrassment of Being a One-Term President?
No. No problema weeth erection, senor. Me an' all my MS13 friends are waiting for him on cellblock C. We' show heem real good time.
We know he a sex fiend, so no worry, amigo. We help heem out with that.
Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore.
So forget the Facebook VPN scandal for a moment here. Apple can, at their whim, make an application not work on your device. That's dangerous. The economic damage one company could do by simply revoking a critical app could outstrip the impact of the 9/11 attacks.
We absolutely must not allow companies to wield this kind of power. Amazon should not be able to revoke e-book licenses, Apple and Microsoft and Google should not be able to revoke application licenses, etc. Imagine if they chose to do it to a competitor. Our reliability on the good will of these companies is so dangerous it makes everyone complaining about Trusted Computing back around 2000 look like prescient geniuses.
Replying to myself since a lot of people seem to be under the woefully incorrect impression that Apple's license terms are in some way vague about this stuff. They aren't. Not at all. Facebook agreed to the Apple Developer Enterprise License Agreement, which—I can't make this stuff up—is actually subtitled "(for in-house, internal use applications)". I'm not even kidding. And it appears it was last updated in October, well before this scandal made the news.
Emphasis is mine unless otherwise noted.
The Purpose section, right at the top of the document, starts with:
Your company [...] would like to use the Apple Software (as defined below) to develop one or more Internal Use Applications (as defined below) for Apple-branded products[...] and to deploy these Applications only for internal use within Your company [...]
In the very next paragraph is this note:
Note: This Program is for internal use, custom applications that are developed by You for Your specific business purposes and only for use by Your employees and, in limited cases, by certain other parties as set forth herein.
So how do they define "Internal Use Application"? Like this:
“Internal Use Application” means a software program [...] that is developed by You on a custom basis for Your own business purposes (e.g., an inventory app specific to Your business) [...] and solely for internal use by Your Employees or Permitted Users, or as otherwise expressly permitted in Section 2.1(f). Except as otherwise expressly permitted herein, specifically excluded from Internal Use Applications are any programs or applications that may be used, distributed, or otherwise made available to other companies, contractors [...], distributors, vendors, resellers, end-users or members of the general public.
So, basically, you can't distribute your apps outside your company. But just in case someone thinks they're being sly with mention of "Permitted Users" and "Section 2.1(f)":
“Permitted Users” means employees and contractors of Your Permitted Entity who have written and binding agreements with You or Your Permitted Entity to protect Your Internal Use Application from unauthorized use in accordance with the terms of this Agreement.
I.e. Not the sorts of people who were using the app in question. Not at all. And what about Section 2.1(f)? Section 2.1 lists out the comprehensive set of acceptable uses. They basically boil down to these:
- 2.1(a)(b)(c)(d)(g): Developers/testers working on the app are allowed to do typical developer/tester stuff for development/testing purposes
- 2.1(e): Your company's employees can install provisioning profiles to use the app for internal use only
- 2.1(f): Your customers can use the app, but only when they are "on [y]our physical premises" or under "the direct supervision and physical control of [y]our [e]mployees"
And then right after that section, they add:
Except as set forth in Section 2.1, You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers or to any third parties in any way
All of which is to say, Apple really couldn't get more explicit about the fact that this license is only for internal use only, which Facebook was grossly and flagrantly violating. The only way they couldn't have known better was if Facebook literally skipped the bolded subtitle of the document, the first paragraph, the second paragraph, all of the definitions of terms, and a section that was pointed to numerous times throughout the document that spells out appropriate uses.
I am going say Bad Apple on this one. As I stated on the other article I am not sure that this app really could do a lot of the things that are being claimed. Terrible for privacy sure, but apps implementing ATS and other best practices should still have been secure.
I'm not. The app installs a Facebook root certificate. Once that happens it's Game Over for any app to have any privacy.
Apple has (thankfully) come down on the side of personal privacy and personal liberties. It might be what saves them. Without it, many of us would have gone to Android years ago. Thank you Apple. I'd even give up a headphone jack to maintain my privacy and security.
...Facebook wouldn't let Apple in on the data, then.
I think you're misunderstanding something about this story, but I'm not sure what. This seems to be what happened:
Apple has privacy protection built into their products to protect their customers. There are limits to the amount of control an App has over a device, and what data can be collected. They do things like, just as an example, prevent Facebook from snooping on every site you visit on your phone's browser just because Facebook's app is installed.
However, Apple doesn't these rules to hamstring large business customers from having control over their own devices. For example, maybe some company wants to use iPads for industrial purposes in their warehouses to track inventory. For iOS to be a good platform for that, the company wants to be able to develop their own app that can take greater control of the device than Apple normally allows. Ok, fine, Apple has a developer program for large businesses to cater to that kind of thing.
Apple lets big businesses have greater control over their own devices, but as part of the agreement to allow that, Apple specifies that they're only allowed to use this greater level of access on their own devices, and not use it to distribute apps to consumers. Otherwise, developers could just use this access willy-nilly to get past all of Apple's security and privacy protection. Seems reasonable enough, right?
Now along comes Facebook, and they do the exact thing Apple says not to do, and for the exact reason Apple says not to do it. They use their Enterprise program to sidestep Apple's privacy protections so that they can spy on Apple users. In response, Apple revokes their ability to distribute apps that way.
Now if I'm being honest, I'd prefer that Apple allowed us all to use apps from outside of the App store. I don't really like the walled garden, and I'd prefer that Apple not rely on walled gardens for security. However, given that there is a walled garden and Apple does rely on it to secure their devices, it only makes sense that they'd enforce it.
Ultimately, it boils down to this: Facebook entered into an agreement with Apple in order to receive a greater level of access than developers normally have. Facebook then violated both the letter and spirit of the agreement, so Apple responded by revoking that greater level of access. I don't see any valid interpretation for how Apple is in the wrong here.
From time to time a cable channel will spar with a provider, think TBS vs TimeWarner or whatever. Each one thinks their customer base will forgo the other one. In this case, lets say that Apple went full nuclear on FB and just stopped their app entirely. "Dear Apple iPhone user, you have 30 days then FB app stops working" I really wonder what people would trade, their iPhone or FB.
I think FB is like cable TV, people waste an inordinate amount of time on it, think they are dependent, but just like when you 'cut the cord' for cable TV, after a few weeks you realize you miss almost nothing of the old way. I would love Apple to kill off FB just to let millions of people see that they can live without social media.
By "pulled for any reason", you apparently mean "flagrantly disregarded the cardinal rule of the license, which is spelled out in plain language in the subtitle, first paragraph, second paragraph, definitions, appropriate use section, etc. of the license to which they agreed". The license Facebook agreed to is subtitled "for in-house, internal use applications". It really couldn't be any clearer. You can make apps for internal use, so long as they remain internal.
I'd be freaking out if my enterprise app was based in i devices right now.
Why? Are you breaking the cardinal rule of the license as well? Apple continues to let companies make internal apps to do anything those companies feel like, so long as those apps remain internal. Facebook broke the cardinal rule, so their certificate was revoked. No one using the license in good faith is in any sort of danger here.
>I expect you just hate Apple because they are Apple.
I seriously detest Apple. But I've got to say they did the right thing here.
Wouldn't it be nice if Google did the same thing?
^ found the whiny Confederate fag...
"Facebook is treating this as a critical problem internally, we're told, as the affected apps simply don't launch on employees' phones anymore."
If they were not repeat offenders against user privacy and Apple's store policies, they might not get treated like this.
But they are and they do.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
Provisioning a cert doesnâ(TM)t grant that kind of rights to everything; the cert can literally be âoeconsider the TLS connection to our mail server trusted because you have our root CA certâ, which is no different than âoeconsider example.com trusted because it has a cert signed by VeriSignâ in your browser.
Provisioning a cert then running a VPN where you can proxy ALL data traffic via an encrypted connection that is âoetrustedâ because of the installed cert is a different story - you can then decrypt and read any data something sends as it sends it, then forward it on transparently or alter it if you feel like it (MITM).
There are rules that you agree to follow when you are granted Enterprise CA certificate that lets you sign private apps. If you do not follow the rules, certificate is revoked.
It is simple as that. It happens very frequently. The only news worthy item here is that it happened to Shitbook.
Apple is not taking away user choice. The choice exists and is clear: use Apple devices and abide by its rules, or don't. If you don't like it, GTFO.
I don't think you understand how permissions work in iOS.
What you described has noting to do with normal apps that you sign with enterprise cert.
What you described is vpn provisioning, whch is what Facebook did here.
But that does not mean that any enterprise signed app can do that.
Reports are all Facebook internal iOS apps (and betas) are dead.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I don't think you understand how enterprise provisioning profiles work, given that they can bypass permissions altogether.
...with loving, open, slightly yellow-green, arms filled with glorious technology goodness. Facebook could be the single greatest force to killing off iOS by simply removing the Facebook and related apps from iOS app store, thus forcing all the Facebook et al junkies over to Android. Hey, less software to maintain allows for greater focus.
Apple would 180 so fast, it would give Slashdot editors' eyeballs serious whiplash.
Facebook's "research app"? You mean Facebook?
Apple has a policy of what software it allows on its device and as part of its developer license, you can't distribute apps outside your orgs. FB did it and they revoked its developer license. This is same as you try to put a new firmware in XBOX and Microsoft yanks you out of its XBOX live network.
If you don't have the freedom to decide what does and does not run on the computing device then you are not the owner of the device. That is not freedom. It's not Libre. What will Apple ban next from the device that you paid for?
Using your âoevisiting friendâ scenario, I took it as...
You invite your friend over to hang, drink beer and relax, if heâ(TM)s hungry thereâ(TM)s last nights BBQ wings in the fridge and chips in the cabinet.
As you wake from a short nap, you find he drove and wrecked your car, went through your wallet and is now in bed with your wife.
Well, it is only partially nonsense. In this particular scenario, what he is saying is pointless... but this does actually point out the fact that Apple COULD deeply affect your business in this way even if you did not break a rule. That is the possibility that is scary. In this particular scenario, everything was kosher and above board. :)
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
Re:Bad Apple (Score:-1, Informative)
^^^
Well, In the typical Slashdot meme. Facts get -1 Informative. You can't make this shit up people! Goes to show, life is comedy. I love it.. lol