Apple Shares More Details on Parental Control App Crackdown

[swingerofbirch]

Can someone explain how apps in the App Store were able to view other apps' activity? Isn't the whole point of sandboxing that these processes stay separate?

I understand if there is this separate technology for businesses called MDM, but why wouldn't that need to be sideloaded like those enterprise certificates that Facebook got in trouble for running?

And if companies could use this technology that can view all your phone's activity and Apple wasn't aware of it, why would Apple think that its use has been limited to parental control apps? It seems it could just as easily sneak in with a free game app, etc.

It seems like Apple has more to explain for than these few apps, namely their app review process and how secure all of the apps are—not just the few they pulled.

 

[apolloa]

Following an email from Phil Schiller to a MacRumors reader yesterday addressing a report from The New York Times on Apple's removal of a number of App Store apps focused on screen time monitoring and parental controls, Apple has issued a public statement sharing additional perspective on the situation.

The statement, entitled "The facts about parental control apps," is very similar in its details to the email from Schiller, highlighting how Apple "became aware" over the last year that these apps were using Mobile Device Management (MDM) technology to monitor all of the activity occurring on the user's device or devices used by their family members.

MDM technology is intended for enterprise users to manage their company-owned devices, and Apple says the use of MDM by consumer-focused apps carries privacy and security concerns that resulted in Apple addressing the situation in its App Store review guidelines in mid-2017.

Apple says that it notified developers of apps affected by its crackdown on this disallowed usage of MDM, giving them 30 days to modify their apps before pulling them from the App Store.Apple also directly addressed observations in this weekend's report that the move gives the appearance of anticompetitive behavior:While Apple is firm in stating that competition did not play a role in its crackdown on these apps, the timing is certainly curious. Apple began the crackdown shortly after rolling out its Screen Time feature in iOS 12 last September, despite several of these apps having used MDM for a number of years.

Developers quoted in The New York Times and who have spoken to MacRumors have also expressed frustration with Apple's original communication on the issue. The developers detailed multiple attempts to obtain more information on exactly what changes needed to be made to their apps, but Apple's support staff reportedly either failed to respond or provided unhelpful and non-specific responses before pulling the affected apps.

Article Link: Apple Shares More Details on Parental Control App Crackdown

Suspicious timing indeed, but now an official complaint has been logged with the EU competition commission, they’ll fully investigate Apple and report back I’m certain.
This public release on the matter form apple does come across as ‘damage control’ to try and deflect the negative press that will surround the story.

 

[MrSkoTA]

Apple Developers: “We have developers using methods that are dangerous to users’ privacy/security, but they’re using it for parental controls that wouldn’t exist otherwise.”
“Well we can’t just shut them down, that would make us look like we don’t care about parental controls.”
“Ok, so let’s bake in our own version so it can be secure, and give those third party developers a good amount of warning with a decent grace period.”

MacRumors: “Timing is suspicious.”

Good grief I love you!!! Took the words right out of my mouth! It’s not Macrumors. They’ve turned into everyone else... MacSchophrenia

 

[briko]

Can someone explain how apps in the App Store were able to view other apps' activity? Isn't the whole point of sandboxing that these processes stay separate?

I understand if there is this separate technology for businesses called MDM, but why wouldn't that need to be sideloaded like those enterprise certificates that Facebook got in trouble for running?

And if companies could use this technology that can view all your phone's activity and Apple wasn't aware of it, why would Apple think that its use has been limited to parental control apps? It seems it could just as easily sneak in with a free game app, etc.

It seems like Apple has more to explain for than these few apps, namely their app review process and how secure all of the apps are—not just the few they pulled.

You are absolutely correct. As I said previously, the apps should have never been approved for release on the App Store, but they got through anyway. Apple even acknowledged the abuse of MDM in 2017 when they altered the review guidelines, yet here we are in 2019 still talking about this problem.

MDM stands for Mobile Device Management. It is a feature created and provided by Apple for enterprise developers. Apple approved all of these developers to use MDM for internal apps, but it supposedly never intended MDM for use in the App Store in this way. Yet, the review team approved apps that shipped with MDM anyway.

if you read Apple's official statement, they admit that these apps "put users’ privacy and security at risk." They also say "It’s important to understand why and how this happened." However, they never get around to explaining how the apps got past their review process. This certainly isn't the first time the review process has failed.

 

[matrix07]

Developers quoted in The New York Times and who have spoken to MacRumors have also expressed frustration with Apple's original communication on the issue. The developers detailed multiple attempts to obtain more information on exactly what changes needed to be made to their apps, but Apple's support staff reportedly either failed to respond or provided unhelpful and non-specific responses before pulling the affected apps.

If the feature could only be achieved by MDM functionality then how else Apple Support team could tell them apart from “adios”? Because there are no changes needed to be made. If Apple Support told them to stop using MDM do you think what will be their reactions?
“Okay”?
I highly doubt it.

Not all devs are innocent. Many of them are malicious. MDM has been abused regularly for malicious purposes. I doubt honest devs will intend to use this feature out of what it’s designed to be used: in corporation environment.

Oh and give me a break on “timing is suspicious” part. Last year is the year Screen Time like feature coming into everyone attention. Android just starting to have it. iOS too. Before that no one cares about this feature.

 

[femike]

With the 30% cut Apple gets they should not be allowing apps that abuse MDM in the first place. How many other apps doing this?

 

[Cloudane]

Maybe they could learn to eventually communicate these explanations in the first place when they're bringing down the ban hammer, rather than leaving "Apple are evil and harming our children by banning innocent parental control apps" rhetoric to fester for months on end.

 

[antdale]

Hey Phil, while you are at it, why not fix all the bugs and glitches associated with the screen time feature?

I agree I have reported several bugs with ScreenTime that have yet to be fixed. Such as when I try to restrict my kids Messages ability, yet all they have to do is Screen Shot, Share, enter the person’s name they want to text/iMessage and then delete the screen shot to see any new messages or send another message...

This can be done with any share button in any app that isn’t restricted, like photos, or music.

 

[antdale]

I have it enabled on my kids' phones. Sometimes on weekends we extend the time the kids get to use their devices. Last night I was out to dinner with my wife and my daughter called me and asked to unlock Netflix. I would have been fine with her using the app, but I didn't want to give her the PIN.

They can request to buy something in the app store remotely from the parent account (https://support.apple.com/en-us/HT201089). They should be able to request more screen time and get a popup on parents' devices in a similar way.

I told her I'd unlock her Nintendo Switch instead. Nintendo is known for being way behind in online functionality. So it is surprising that even they knew to include remote parental control management to their app.

I have it set up on my kids devices also, and they can request more time remotely. I even like in iOS12.3 where they have the ability to customize days for app limits and screen time blocking. My child however has been able to bypass some restrictions, which I have reported to Apple by using other features...Such as being able to use the Messages App even though restricted by taking a screen shot, hitting the share button, choosing messages, and entering who they want to send it to. Then editing the message to delete the screen shot and using being able to see new messages and send regular text/iMessage messages. They can also do this if you don’t have restrictions set up on Photos or Music, or any app with the Share button.

 

[chrono1081]

Apple is obviously trying to avoid an investigation into their anti competitive actions. More than one group has accused apple of anti competitive behavior. Innocent until proven guilty doesn't mean no investigation should take place.

Anticompetitive? You really need to read the article. MDM can do a LOT of things, Apple was 110% correct in removing these apps. Most end users don't understand what they're doing when they accept MDM.

 

[Fixey]

The way things are going AppStore is declining as Google Android will become the only platform to develop for as no one will be able to develop for iOS as Apple has a habit of changing the rules when it suits them resulting in the removable of apps that compete and so all that work by developers is wasted so more and more are moving to Android

 

[iBluetooth]

The way things are going AppStore is declining as Google Android will become the only platform to develop for as no one will be able to develop for iOS as Apple has a habit of changing the rules when it suits them resulting in the removable of apps that compete and so all that work by developers is wasted so more and more are moving to Android

They didn't change the rule - they enforced a rule that the developers ignored. I am developer and the income from iOS is much higher than Android, thus, both stores will remain. But the lack of review on the Google store allows some spyware to be published.

 

[gnasher729]

It is nice apple responded but it should be under oath in court.

Please sue Apple if you want a statement in court under oath.
[doublepost=1556535657][/doublepost]

The way things are going AppStore is declining as Google Android will become the only platform to develop for as no one will be able to develop for iOS as Apple has a habit of changing the rules when it suits them resulting in the removable of apps that compete and so all that work by developers is wasted so more and more are moving to Android

Nonsense. The fact is that iOS apps make more money, and iOS developers are paid more. And developers who don't create apps that are dodgy in the first place are fine. Actually, many developers are happy because they can tell their stupid marketing guys "no you can't get all the data from the iPhone because Apple doesn't allow it" instead of "you can't that because you are abusing the customers".

 

[Abazigal]

The way things are going AppStore is declining as Google Android will become the only platform to develop for as no one will be able to develop for iOS as Apple has a habit of changing the rules when it suits them resulting in the removable of apps that compete and so all that work by developers is wasted so more and more are moving to Android

iOS will continue to be the platform to develop apps for, for the simple reason that iOS is where the money is. It doesn’t matter how onerous the rules are, the developers will jump through whatever hoops they need to, when 80% of your revenue comes from the ios App Store.

 

[Rogifan]

Btw, this article from TechCrunch was published 5 months ago. Just because Apple doesn’t have an API for 3rd parties to build screen time tracking apps doesn’t mean it’s OK for them to hack their way into it or that Apple is anti-competitive for removing the apps when the unauthorized methods are discovered.

Apple puts third-party screen time apps on notice

 

[I7guy]

Bugs? Security holes? I'm sorry, but this is completely different. Developers are misusing known enterprise features. It doesn't sound too different from the misuse that took Facebook's internal apps offline a few months ago. Apple makes these enterprise features available to the developers, so is it really unrealistic for them to monitor who is using them and how they are being used?

Just to clarify, I believe Apple was correct to remove these offending apps. However, I also believe that they never should have been approved in the first place. At the very least, they should have stopped approving apps when they specifically changed the review guidelines in 2017 when they "discovered" developers were abusing MDF. Yet, the original article states that apps were still being pulled throughout last year.

I want the app store to flourish, but I don't think Apple is beyond criticism. They bring in enough money to be held to a higher standard.

Apple is not above criticism. However, I don’t agree apple turned a blind eye, for reasons of their own, and left the apps in place.

To those who say Apple should have caught them, it’s akin to saying Microsoft should have caught bugs and security hikes in their testing.

 

[rjohnstone]

My only real issue with Screentime is the schedule section.
You can’t have multiple schedules for a single day.
The old AT&T app (now discontinued) allowed for a nighttime schedule and then a daytime one as well for when my kid is at school.
We blocked everything at night (10PM - 6AM) and then all social media apps during school hours. (8AM - 2PM).
Can’t do that with Screentime.

 

[VulchR]

OK, Apple, so what secure framework are you going to provide developers to avoid having to use MDM?

 

[Khedron]

Apple Developers: “We have developers using methods that are dangerous to users’ privacy/security, but they’re using it for parental controls that wouldn’t exist otherwise.”
“Well we can’t just shut them down, that would make us look like we don’t care about parental controls.”
“Ok, so let’s bake in our own version so it can be secure, and give those third party developers a good amount of warning with a decent grace period.”

MacRumors: “Timing is suspicious.”

Apple seems very selective about when it bothers to apply its rules and when it doesn't.

All the Apple adverts I've seen say privacy is important, not that privacy is important but sometimes they'll makes compromises for other features like parental controls.

I suppose you think it was also just coincidental timing that Apple only learned about the FaceTime privacy hole when the media started giving Apple bad press, despite multiple bug reports weeks earlier?
[doublepost=1556544086][/doublepost]

You are absolutely correct. As I said previously, the apps should have never been approved for release on the App Store, but they got through anyway. Apple even acknowledged the abuse of MDM in 2017 when they altered the review guidelines, yet here we are in 2019 still talking about this problem.

MDM stands for Mobile Device Management. It is a feature created and provided by Apple for enterprise developers. Apple approved all of these developers to use MDM for internal apps, but it supposedly never intended MDM for use in the App Store in this way. Yet, the review team approved apps that shipped with MDM anyway.

if you read Apple's official statement, they admit that these apps "put users’ privacy and security at risk." They also say "It’s important to understand why and how this happened." However, they never get around to explaining how the apps got past their review process. This certainly isn't the first time the review process has failed.

Apple shouldn't have even needed to review apps to avoid this. Submission of an app requiring MDM permissions to the customer store should have been automatically rejected.

 

[I7guy]

...I suppose you think it was also just coincidental timing that Apple only learned about the FaceTime privacy hole when the media started giving Apple bad press, despite multiple bug reports weeks earlier?

Yes a general statement to address the response above. It seems to be the critics believe Apple was forced to react, while the fans believe the timing was coincidental.

 

[ajguckian]

I just started looking into monitoring apps for the kids, and didn't really understand how the apps could do what they said they would, so it makes a lot more sense now. I'm hoping that Apple works on the screen time functions to allow a little more nuance to the restrictions we can make, as right now it's not exactly able to do what I'm looking for.

 

[Rogifan]

OK, Apple, so what secure framework are you going to provide developers to avoid having to use MDM?

Why does Apple have to do this?

 

[ArtOfWarfare]

Those who would sacrifice liberty for security deserve neither.
- Benjamin Franklin

 

[ITDude]

Care to share a few specific examples?

Screen Time has worked flawlessly for me, but I'm not managing child devices. Maybe that's where your supposed flaws are?
[doublepost=1556505098][/doublepost]

Give us a scenario. Remote Unlock would be a very scary feature that bypasses the strong measures in place.

I can give you two very specific issues that are major flaws with Screen Time. I have reported the issues with the Apple Developer Bug Reporting.

1. A child can access website with no screen time available by accessing the saved passwords for a website under settings. The child can access any site in the password list if the password is not correct in the saved password list.

2. Apps access limits are only set at the icon level. A child can access an app via a link to the app even when there is no time allowed for that app.

Screen Time is a good start for most parents. My kids figured out these two workarounds within one day of me setting up screen time on their devices. It is not perfect.

 

[TriBruin]

Apple is not above criticism. However, I don’t agree apple turned a blind eye, for reasons of their own, and left the apps in place.

To those who say Apple should have caught them, it’s akin to saying Microsoft should have caught bugs and security hikes in their testing.

Sorry, you are wrong. It is impossible to install any profile (which is how you managed a MDM enrolled device) without the user knowingly accepting it. Unless Apple doesn't install an App on a device or simulator during their review process, the reviewer would have to accepted the profile installation. While a normal user may have just click OK automatically, not knowing what they are doing, any reviewer should have questioned what profile was being installed and why.