alphaspirit - Fotolia
A loophole in Apple's enterprise certificate program for iOS apps allowed Facebook and Google to bypass the App Store review with market research apps designed to collect user data.
The enterprise certificate program on iOS allows developers to distribute internal corporate apps without needing to pass Apple's App Store reviews and can allow apps with much broader permissions than would be allowed through the App Store.
A new report from TechCrunch revealed that Facebook compensated users as young as 13 years old via gift cards to install the Facebook Research app, which could collect messages and media from social media and instant messaging apps, as well as constant location tracking. TechCrunch reported the Facebook Research app was similar to another app from the social media giant, Onavo Protect, which used Facebook's enterprise certificate to root access to users' device traffic and was banned from Apple's App Store.
Facebook shut down the iOS version of its Research app after the report broke, but Apple still revoked all of Facebook's enterprise certificates, meaning no Facebook apps in development internally can be run on iOS devices. The Android version of Facebook Research is still running; Google did not respond to requests for comment as to whether that app is in violation of any Google policies.
Apple said in a statement that its Developer Enterprise Program was designed "solely for the internal distribution of apps within an organization."
"Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple," an Apple spokesperson said. "Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data."
Google shut down its own market research app, dubbed Screenwise Meter, following another TechCrunch report claiming it used the same enterprise certificate loophole to allow users to install the app on iOS. As yet, Apple has not taken any action against Google's internal developer certificates.
Facebook did not respond to requests for comment but provided a statement to other media outlets that claimed the Facebook Research app wasn't "spying" on users and that less than 5% of users were teens.
In an interview with CNBC, Sheryl Sandberg, COO of Facebook, said the company pulled the app as soon as it realized the app "wasn't in compliance" with Apple's enterprise certificate program, implying no one realized the program was only for internal corporate apps.
Experts noted that these issues with companies bypassing the rules of Apple's enterprise certificate program should be a warning to other organizations and employees.
Francis Dinha, CEO of OpenVPN, said there's not much enterprises can do to protect company data "if employees willingly give permission to an application to harvest data."
"Short of regular device audits or banning any BYO [bring-your-own] device program, enterprises simply have to trust their employees," Dinha said. "That's where education becomes so essential: If your company data is going to be on your employees' devices, you need to make sure they know the critical steps to take to protect that data. Educate them about the risks, cybersecurity best practices, the basic structure of the device and how information is shared, so they can be more aware of how to protect your company's information. You can't blame your employees for putting data at risk if you don't fairly inform them of your expectations -- or how exactly to implement them."
Chad McDonald, vice president of customer experience at cybersecurity vendor Arxan in San Francisco, said the key to effective administrative policies is enforcement.
"If a user is providing their own device, then it's easy to fall into a 'my device, my rules' posture. The enterprise has an obligation to clearly establish and communicate data ownership and usage criteria regardless of the geography of the data itself," McDonald said. "Sharing corporate data existing even in something as innocuous as a contact list on your phone may be a violation of privacy regulations. The responsible enterprise has an obligation to provide not only awareness to its constituency, but also the tools necessary to help users remain diligent in their own efforts to do the right thing."
Dinha added that employees should also be careful when installing any internal corporate apps.
"If you're downloading an internal corporate app, ideally you'd have developed trust there and understand clearly the amount of access that app will have to your private data. If you have reason not to trust your company, don't install the corporate app on your personal device," Dinha said. "Use a work phone. If they expect you to download an internal app, they'll be providing a device for it anyway. You're under no obligation to reveal deeply personal data to your employer and should not be penalized for protecting it."
Dig Deeper on Mobile application security best practices
A recent history of Facebook security and privacy issues
Friday Notebook, February 15: What will Apple do about sideloading and rogue enterprise certs?
Risk & Repeat: Apple restores enterprise certificates for Facebook, Google
Friday Notebook, February 1: Jamf Connect Azure AD password sync; audit your Apple enterprise apps