Apple Revokes Enterprise Developer Certificates

On Tuesday Techcrunch reported that Facebook had been paying people, in particular teens, $20 a month to install their “Facebook Research” app. The “Research” app includes a Virtual Private Network (VPN) client. The “Research” app is a rebranded app that was removed from the public iOS App Store in August of 2018 because it violated App Store terms of service. The old name of the app was Onavo.

The method used by Facebook for this installation is by using an Enterprise Developer Certificate, which is designed for distribution of applications to a company’s employees. In addition to distributing apps to their own employees Facebook used this method for external testers. This is in direct violation of the terms of service for the Enterprise Developer account which were agreed to upon signing up for the account.

Once Apple found out about this, they revoked the Enterprise Developer Certificate. Revoking this certificate had a major impact on Facebook. Besides having their “Facebook Research” app no longer function, all of Facebook’s internal applications used by employees were broken, meaning that they can no longer function.

From an Apple spokesperson:

“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

It turns out that Facebook is not the only big tech company that has been misusing their Enterprise Developer account.

Yesterday, January 30th, Google stated that they were doing something similar with their Enterprise Certificate with an application named “Screenwise Meter”. When users used the app, they were able to earn gift cards by installing the application. Just as with Facebook Apple has revoked Google’s Enterprise Certificate. This revocation has same effect as Facebook, where Google’s internal iOS applications ceased functioning. This includes employee-only beta versions of apps, as well as other applications used by employees. Here is a quote from the TechCrunch article:

“We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon,” said a Google spokesperson. A spokesperson for Apple said: “We are working together with Google to help them reinstate their enterprise certificates very quickly.”

As of today, Thursday January 31st, Facebook has had their Enterprise certificate re-instated, but Google has not had their Enterprise Certificate re-instated, yet.

Some Thoughts

I am somewhat surprised that Apple revoked the Enterprise Developer certificates, given that the companies involved.. However, Apple is fully within their right. Both companies violated not only the terms of service, but also used the applications to acquire consumer information. This is a clear violation Apple’s principles and definitely should not be tolerated.

Besides the violation of the policies, there are consumer implications. Both companies are relying on ignorance of users to collect information. In both cases the apps collected browsing history of all activity on the users iPhone, through the VPN that was installed when the app was installed. Additionally, Facebook gathered Amazon purchase history by having users send screenshots of their Amazon orders.

I suspect that Google will get their Enterprise Certificate re-instated in the next couple of days. In the wake of these incidents, I would not be surprised if Apple starts cracking down on this type of behavior for all Enterprise Certificate holders.

If it any smaller company had done something similar, it would be my guess that Apple would revoke the certificate and that would be the end of the discussion. A smaller company would likely not be able to get their Enterprise Certificates re-instated at all.

These two instances should be a wake up call for all Apple Enterprise Certificate developers. If you are providing applications to end-users through your Enterprise Certificate, Apple may end up revoking your certificate and there may be no recourse.

It will be interesting to see what other ramifications this will have on other developers. I also wonder if Facebook and Google will try doing something similar again in the future. Only time will tell whether or not this will happen.

Source: TechCrunch (Facebook) and TechCrunch (Google)