Apple Blocks Google From Running Its Internal iOS Apps

Apple has now shut down Google's ability to distribute its internal iOS apps, following a similar shutdown that was issued to Facebook earlier this week. From a report: A person familiar with the situation tells The Verge that early versions of Google Maps, Hangouts, Gmail, and other pre-release beta apps have stopped working today, alongside employee-only apps like a Gbus app for transportation and Google's internal cafe app. UPDATE: Apple has restored Google's Enterprise Certificate so its internal apps will now function.

Good to see

[redback]

Good to see that Apple are not letting these big corps get away with breaking the rules.

Re:Good to see

[Anubis+IV]

How was Apple supposed to know? The whole point of enterprise apps is that enterprises can run anything they want on any of their devices without going through Apple. The users who were involved in this stuff were installing provisioning profiles that identified their devices as belonging to Facebook and Google. Given that Apple isn't privy to employee records at Facebook and Google, they have no way of telling whether provisioning profiles are being abused, so again I ask: how was Apple supposed to know?

Re:Good to see

[Anubis+IV]

How do you figure? The enterprises affected so far have all been caught redhanded in the act of flagrantly misusing a "for in-house, internal use applications" license to intentionally deploy applications externally. The only enterprise level purchases who should be quaking in their boots are purchasers acting in bad faith.

Re:Good to see

[divide+overflow]

This should demonstrate to enterprise level purchasers the peril in becoming involved with Apple, who are historically an enterprise-hostile vendor.

Or perhaps it will demonstrate that Apple won't let them get away with abusing their internal use certificates that allow less restricted use of device resources in order for those licensees to take further advantage of public end users and violate Apple's software license agreements.

Re:Good to see

[Anubis+IV]

Both companies employee tens of thousands of people around the world, and enterprise apps aren’t registered through Apple, so they don’t know what the names of the apps are like you seem to think. Unlike the App Store, they’re signed by the enterprises themselves without Apple’s involvement, other than Apple issuing a certificate that can be reused time and time again.

Re:Good to see

[Highdude702]

... You're missing the point. They weren't making employees install this shit, they were releasing these outside of the company. That's what he means by internal and external. In case you didn't know..

I have to think this will be restored sometime...

[SuperKendall]

I think for both Facebook and Google, enterprise certs will be restored at some point - maybe Apple is going to do a review of all the apps signed with them and devices they are installed on before restoring.

There are a lot of valid uses of enterprise certs too, I think this blanket cancellation is more a message to never do it again, then they'll at least get internal apps back.

and that will just lead to laws force them to open

[Joe_Dragon]

and that will just lead to laws force them to open to outside apps. Maybe the EU can push that though.

Clarification

[Dan+East]

So... as usual the summary (and even TFA in this case) had me confused about what is going on here. At first I thought Google was redistributing Apple's internal iOS apps. I thought maybe they were embedding iOS apps within their own apps or something. Anyway here's what this is about.

An enterprise developer license for iOS allows a developer to sign an app for limited *internal* distribution of an app. This is for testing and enterprise use internally within the company the license was issued to. This is in contrast to apps intended for public distribution, which as we know can only be done through the iOS App Store, and which requires Apple to approve the app.

What Facebook and Google have been doing is publicly distributing what should be internal-use-only apps to the public - apps that would not be approved by Apple for various reasons (including privacy issues) - through their enterprise developer license. So it's clearly a violation Apple's terms, and it sounds like both FB and Google are doing the overreaching data collection through these special apps.

Apple has reacted, disabling the signing keys for these apps so they no longer function.

Re:I have to think this will be restored sometime.

[the_B0fh]

Oh, you mean instead of following the letter of the contract you signed, you do something that violates that contract, and when you are caught, and the other party terminates their part of the contract, it is their fault?

You are a special kind of stupid, aren't you?

Re:Walled gardens are trash

No, not really. Your premise is false. Normal people can't secure their device; Windows before the garden was "insecure" because people installed stuff without performing a security audit first.

Everyone I know looked at me really weird when I told them what I had to do to stay secure on an open platform.

They all asked me if they could just buy something secure and not have to get a CS degree.

So they have an iPhone now. /shrug

Further clarification - not limited

[SuperKendall]

An enterprise developer license for iOS allows a developer to sign an app for limited *internal* distribution of an app.

The point of the Enterprise developer license is it lets you distribute unlimited internal applications for use by your employees, on any number of devices.

When you have a developer certificate, you have to register devices you want to be able to distribute test builds for. Using an enterprise certificate for deployment, you do not have to register anyones device in your developer portal - in that way it's like an App Store build, but you can choose who to send the IPA (compiled app bundle) to for distribution.

Because it could be any device and Apple does not really know who is an employee or not, there's no control over who can install an enterprise signed IPA. That how companies were able to do this for so long, because Apple does not police this. It's a good idea because it keeps a lot of apps from the App Store that would be of no use to anyone outside of employees.

Apple does provide a way to do limited external testing, called TestFlight - there you can distribute a built to up to 10,000 external testers.

So it's clearly a violation Apple's terms....Apple has reacted, disabling the signing keys for these apps so they no longer function.

Oh yes, it's a very clear violation of terms as you are told when you sign up for the program that it's only for use by employees of the company (or contractors).

They didn't just revoke they keys for those apps though, they revoked the whole certificate on which all app distribution profiles were built - affecting possibly hundreds of valid internal apps as well. But since all we know is Google/Facebook were not obeying the rules, was the smart thing to do as who knows how many other apps were being sent outside the company... not quite sure how companies walk back from this to restore enterprise builds, as I've never seen a company run afoul of this rule before.

Re:Further clarification - not limited

Yes, we'll all take note - that Apple considers the privacy of their users to be of paramount importance. So important, in fact, that Apple will drop even facebook and google from their platform if that's what it takes.

Re: Further clarification - not limited

Blatant violation requires extreme response. This was a message to Google and Facebook to stop being total dicks

Re:I have to think this will be restored sometime.

[Anubis+IV]

Isn't it a message to every enterprise everywhere that Apple are in total control of your platform and can disable your work without notice or warning, rendering any investment you made worthless?

"Without notice or warning"? They flagrantly disregarded the cardinal rule of the license they agreed to, which is spelled out in plain language in the subtitle, first paragraph, second paragraph, definitions, appropriate use section, etc. of the license. The license is even subtitled "for in-house, internal use applications". It really couldn't be any clearer. You can make pretty much anything you want for internal use, so long as it remains internal.

If I were a corporation looking to deploy an internal app, I'd be looking at non-apple options. Having your internal platform disabled could cripple smaller business to the point of threatening their viability.

Why? Is your hypothetical corporation breaking the cardinal rule too? The only people who need to be worried are those who haven't been using the license in good faith. So long as you're using the license as it was plainly intended to be used—to develop and use apps internally—you have nothing to fear, despite suggestions to the contrary.

Re:I have to think this will be restored sometime.

[Anubis+IV]

By all indications, Facebook and Google agreed to the same license as everyone else, and the license is anything BUT ambiguous, given that it's subtitled "for in-house, internal use applications" and then only gets more explicit about how it's intended to be used from there. I ran through a lot of the details about the license in a comment yesterday.

Re:I have to think this will be restored sometime.

[Anubis+IV]

Apple apparently confirmed at least some of your thoughts in a comment given to BuzzFeed:

We are working together with Google to help them reinstate their enterprise certificates very quickly

As Daring Fireball points out, however, they've said nothing of the sort with regards to Facebook.

Re:I have to think this will be restored sometime.

[Highdude702]

Apple's draconian contract enforcement

This is the only thing I'm going to touch on here.

  With the facts in the thread you have replied to, you basically said you want anarchy. No enforceable contract.