Apple has disabled Facebook and Google’s internal applications after privacy violations were revealed, leaving Google and Facebook employees at a standstill for key operations. In other Apple news, the tech giant’s revenue declined over the holiday quarter, and it’s reportedly testing new iPhones with three rear cameras and a USB-C port.
This week on The Vergecast, Nilay Patel, Paul
Miller, and Casey Newton reckon with Apple’s power move against Facebook
and Google. Below is a lightly edited portion of that conversation.
Nilay Patel: World War 4 has begun.
Apple, which is an important company that makes phones and laptops and
software, yanked Google’s enterprise software certificate for iOS, which
is the software certificate that lets Google deploy its own internal
apps without going through the App Store, thus shutting down all of its
betas of Gmail, YouTube, and Maps on iOS and their own internal apps
like the one that shows them the menus in the cafe. This literally just
happened. It happened minutes before we started taping.
This follows the fact that Apple did this to Facebook
yesterday. Same situation: yanked the enterprise certificate for
Facebook so people can no longer look at their bus schedule or test up
builds of Instagram. This is all in response to both Facebook and Google
running research apps — user research apps?
Casey Newton: Market research apps. So
there are plenty of these kinds of programs, and all kinds of companies
that’ll pay you 20 or 50 bucks, give you a gift card in exchange for
some amount of your time, and typically, you’ll just sort of answer a
bunch of questions about the product and the competition. What made this
really different was that they were using a program designed to let
companies test apps internally in order to do market research with their
customers, and after Apple became aware of it, they pulled the plug and
said no.
NP: So Facebook very famously owned a
VPN called Onavo, which is a bad name. And so famously Facebook bought
this VPN company. They let people install Onovo protectors, and the app
ran all the traffic through this VPN to say you were more secure but
really what Facebook was doing was monitoring this traffic to see which
apps were taking off, which features you were using. So this is how they
discovered that WhatsApp was taking off. I believe before they acquired
WhatsApp, it’s how they discovered Snapchat Stories were taking off,
and they cloned it to Instagram Stories. So Facebook is monitoring user
behavior on the iPhone through this novel protect app.
At one point, I believe they even had a tab in Facebook.
The big blue app that said Onovo Protect to try to get you to install a
novel protect, which is insane. This all came out. Apple said “Wait wait
wait. This is not cool. We do not want anyone.” We saw Facebook
monitoring user data. That’s why they banned Onovo protect. But it turns
out, the same code and the headers of the research app were being used
for this Facebook research. So Facebook is running a research program
where everyone is focused on teens. I think it was more than teens,
right?
NP: They were targeting people ages 13
to 35, so a broad definition of “teen,” but teen is in the mix where you
would get like a $20 gift card if you sign up for this program through
one of their vendors. They would send you the certificate that lets you
side-load apps onto an iPhone. Famously, you cannot silo apps onto an
iPhone — you have to go through the App Store — but if you have an
enterprise certificate, you can deploy apps without the App Store. So
Facebook would send you their enterprise certificate, you would
side-load this app that had a ton of a Navajo code in it, and it would
monitor everything that was happening on your phone. In some cases, it
appears they were able to bypass that layer on even encrypted chats,
too.
Paul Miller: Obviously, a VPN app like
the Onovo app could track a lot of what you do based on your internet
traffic. A side-loaded app, theoretically, has a lot more privileges
than just a regular VPN app that you got through the App Store. Yep. Was
this app doing a lot more than a VPN?
CN: Ben Thompson wrote about it today
and described it as kind of like what other terms would have been a
classic man-in-the-middle attack where they were able to intercept
basically anything the original TechCrunch article says that
text messages and email content would have been accessible to the
person. So based on the reporting we’ve read, it seems like this was
like a near-total access to all of the most sensitive data on your
phone. Once again, we should say people volunteered to submit. Assuming
they actually read the terms of service
NP: For $20! Would you give Facebook access to your phone for 20 bucks?
CN: I think that we should acknowledge
that 20 bucks is a meaningful amount of money to a lot of people,
especially people who, let’s say, are 13 years old and. Interestingly, I
posted an article today in which it interviewed some of the people who
were apparently participating in this program, and some of them in this
way that kind of depressed me said, “You know, we thought that this data
was being sent to random companies anyway, so you know, to us, it was
free money.”
NP:
Facebook is doing this. They’re installing this side-loaded app through
this research program. They’re using their enterprise certificate to
get on the phone, and that’s really the heart of the thing where the
actual sort of Facebook is once again doing something shady with user
data. Right? Their excuse is, I think Sheryl Sandberg even just said
this to CNBC, they signed up. They signed up. They wanted this to
happen. They got paid like this was the deal that parents like.
So there’s like a whole conversation about this app and
whether it should work. But then there’s the issue of the enterprise
certificate right there side-loading apps in Iowa. So Apple responds,
and we broke the story. We give credit to TechCrunch, and I
give credit to our team. We broke the story yesterday. They yank
Facebook’s enterprise certificate these days just disable it, which
causes this chain reaction. Every other side-loaded Facebook app that
uses a certificate just stops working, and you click on it, and it
doesn’t open.
PM: And the primary understanding is
that the terms of use for having this enterprise certificate is that you
do not use it to distribute apps to consumers.
NP: Yes. Correct. It sounds very much
like everyone does it, anyway. Which is a thing. I don’t know anything
about what they’ve considered internally, but I will tell you that, I
tweeted this, it’s pretty disturbing that Apple can just disable these
certificates. It’s basically like a vacation day at Facebook from what I
can surmise. Casey is nodding his head. Did you hear that, too?
CN: Yes. I mean just imagine, you know,
your entire workflow is dependent on you having access to the US app
that you’re working on, and there is literally no way for you to get it
to launch anymore.