Apple has disabled Facebook and Google’s internal applications after privacy violations were revealed, leaving Google and Facebook employees at a standstill for key operations. In other Apple news, the tech giant’s revenue declined over the holiday quarter, and it’s reportedly testing new iPhones with three rear cameras and a USB-C port.
This week on The Vergecast, Nilay Patel, Paul Miller, and Casey Newton reckon with Apple’s power move against Facebook and Google. Below is a lightly edited portion of that conversation.
Nilay Patel: World War 4 has begun. Apple, which is an important company that makes phones and laptops and software, yanked Google’s enterprise software certificate for iOS, which is the software certificate that lets Google deploy its own internal apps without going through the App Store, thus shutting down all of its betas of Gmail, YouTube, and Maps on iOS and their own internal apps like the one that shows them the menus in the cafe. This literally just happened. It happened minutes before we started taping.
This follows the fact that Apple did this to Facebook yesterday. Same situation: yanked the enterprise certificate for Facebook so people can no longer look at their bus schedule or test up builds of Instagram. This is all in response to both Facebook and Google running research apps — user research apps?
Casey Newton: Market research apps. So there are plenty of these kinds of programs, and all kinds of companies that’ll pay you 20 or 50 bucks, give you a gift card in exchange for some amount of your time, and typically, you’ll just sort of answer a bunch of questions about the product and the competition. What made this really different was that they were using a program designed to let companies test apps internally in order to do market research with their customers, and after Apple became aware of it, they pulled the plug and said no.
NP: So Facebook very famously owned a VPN called Onavo, which is a bad name. And so famously Facebook bought this VPN company. They let people install Onovo protectors, and the app ran all the traffic through this VPN to say you were more secure but really what Facebook was doing was monitoring this traffic to see which apps were taking off, which features you were using. So this is how they discovered that WhatsApp was taking off. I believe before they acquired WhatsApp, it’s how they discovered Snapchat Stories were taking off, and they cloned it to Instagram Stories. So Facebook is monitoring user behavior on the iPhone through this novel protect app.
At one point, I believe they even had a tab in Facebook. The big blue app that said Onovo Protect to try to get you to install a novel protect, which is insane. This all came out. Apple said “Wait wait wait. This is not cool. We do not want anyone.” We saw Facebook monitoring user data. That’s why they banned Onovo protect. But it turns out, the same code and the headers of the research app were being used for this Facebook research. So Facebook is running a research program where everyone is focused on teens. I think it was more than teens, right?
NP: They were targeting people ages 13 to 35, so a broad definition of “teen,” but teen is in the mix where you would get like a $20 gift card if you sign up for this program through one of their vendors. They would send you the certificate that lets you side-load apps onto an iPhone. Famously, you cannot silo apps onto an iPhone — you have to go through the App Store — but if you have an enterprise certificate, you can deploy apps without the App Store. So Facebook would send you their enterprise certificate, you would side-load this app that had a ton of a Navajo code in it, and it would monitor everything that was happening on your phone. In some cases, it appears they were able to bypass that layer on even encrypted chats, too.
Paul Miller: Obviously, a VPN app like the Onovo app could track a lot of what you do based on your internet traffic. A side-loaded app, theoretically, has a lot more privileges than just a regular VPN app that you got through the App Store. Yep. Was this app doing a lot more than a VPN?
CN: Ben Thompson wrote about it today and described it as kind of like what other terms would have been a classic man-in-the-middle attack where they were able to intercept basically anything the original TechCrunch article says that text messages and email content would have been accessible to the person. So based on the reporting we’ve read, it seems like this was like a near-total access to all of the most sensitive data on your phone. Once again, we should say people volunteered to submit. Assuming they actually read the terms of service
NP: For $20! Would you give Facebook access to your phone for 20 bucks?
CN: I think that we should acknowledge that 20 bucks is a meaningful amount of money to a lot of people, especially people who, let’s say, are 13 years old and. Interestingly, I posted an article today in which it interviewed some of the people who were apparently participating in this program, and some of them in this way that kind of depressed me said, “You know, we thought that this data was being sent to random companies anyway, so you know, to us, it was free money.”
NP: Facebook is doing this. They’re installing this side-loaded app through this research program. They’re using their enterprise certificate to get on the phone, and that’s really the heart of the thing where the actual sort of Facebook is once again doing something shady with user data. Right? Their excuse is, I think Sheryl Sandberg even just said this to CNBC, they signed up. They signed up. They wanted this to happen. They got paid like this was the deal that parents like.
So there’s like a whole conversation about this app and whether it should work. But then there’s the issue of the enterprise certificate right there side-loading apps in Iowa. So Apple responds, and we broke the story. We give credit to TechCrunch, and I give credit to our team. We broke the story yesterday. They yank Facebook’s enterprise certificate these days just disable it, which causes this chain reaction. Every other side-loaded Facebook app that uses a certificate just stops working, and you click on it, and it doesn’t open.
NP: Yes. Correct. It sounds very much like everyone does it, anyway. Which is a thing. I don’t know anything about what they’ve considered internally, but I will tell you that, I tweeted this, it’s pretty disturbing that Apple can just disable these certificates. It’s basically like a vacation day at Facebook from what I can surmise. Casey is nodding his head. Did you hear that, too?
CN: Yes. I mean just imagine, you know, your entire workflow is dependent on you having access to the US app that you’re working on, and there is literally no way for you to get it to launch anymore.
For the rest of this discussion and more from The Vergecast be sure to subscribe wherever you get your podcasts.