Apple Shut Down All of Facebook's Internal Apps When Revoking Enterprise Certificate [Update: Fixed]

[MRrainer]

It's apparently a bit of a hassle to re-deploy all these apps, once a new enterprise certificate has been issued. Apple will issue a new one, eventually, but I'm pretty sure Mark will get the rules explained one more time, in person. Likely, they'll make him sign a piece of paper to drive the point home.

To people who say Apple overreacted: this is like you renting an apartment and the contract says: "You can't run a business with foot-traffic out of this apartment" - and you go an turn-around and literally run a show-shop out of it.

The people who decided on this side-loading gig are probably different than those who guard this certificate (and who didn't know about this app) - but as with any business: the buck stops at the very top.

 

[0958400]

What if this had been any other company? Wouldn't they have been kicked out of the Apple store? Why let facebook stay? What will keep them from doing it again? They've been spying on other people for years now, we have enough evidence. If Apple were to take security seriously, they'd have to ban facebook and stay true to their word.

 

[cmaier]

So, this week; Facebook pay users for data, where a user has installed an app, just that Apple didn’t approve and they circumvented that with a misuse of a certificate. Apple let anyone who knows my cell number access my camera and mic ... I don’t think this week is the one for Apple to play high and mighty with Privacy. Both companies got caught out this week!

Apple didn’t “let” that happen. It was a mistake. It was not intentional. By your logic, a driver who accidentally kills someone when they skid out on an ice patch cannot be opposed to murder.

There’s a big difference between not catching a bug after an extensive public beta test period, and intentionally misusing an enterprise certificate to intentionally capture information from teenagers without any real parental consent (they accepted merely checking a box, apparently).

 

[BuddyTronic]

Awesome! Facebook is dirty!

 

[Geeky Chimp]

facebook didn't disclose to the users what they were doing. And it's not the first time facebook as done things like this. Or used your data to target you with ads aimed at manipulating the way you think to get you to vote a certain way. Companies pay them to do that and your data helps them.

It’s true Facebook abuses people’s privacy beyond belief. But what’s also true is Apple have picked a week where a bug in their software had potentially far wider privacy implications to punish Facebook.

 

[cmaier]

It’s true Facebook abuses people’s privacy beyond belief. But what’s also true is Apple have picked a week where a bug in their software had potentially far wider privacy implications to punish Facebook.

This is silly. Apple didn’t “pick” this week. This is when Apple (and everyone else) found out about Facebook’s misuse of the certificate.

 

[BuddyTronic]

Facebook's lack of respect ... give me a break … Apple ain't no saint.

Yes Apple is good! Facebook is not good.

 

[carletonguy]

Good! Shut it down. I’m so sick of Facebook.

 

[Geeky Chimp]

This is silly. Apple didn’t “pick” this week. This is when Apple (and everyone else) found out about Facebook’s misuse of the certificate.

However you look at it, Apple are punishing a company for privacy related issue whilst causing ( intentionally or not ) a privacy related issue themselves in the same week.

 

[NT1440]

Spying on children is morally wrong.

“Loopholes” in the tax code is not. They were put there by those who write the law and are enforced as such. If anyone is to blame, it’s those who made the law and/or those who don’t change it.

I don’t want to veer off this topic any further, just gonna point out that those who wrote these “loopholes” are clearly completely owned by the beneficiaries of them, that’s why this system won’t be fixed until we outlaw corporate funding of American elections. That’s not a secret, everyone knows who the vast majority of Congress actually represents beyond mere lip service.

Back on topic, Facebook will just pay another fine equivalent to an hours worth of profit and move on unimpeded as usual.

 

[cmaier]

However you look at it, Apple are punishing a company for privacy related issue whilst causing ( intentionally or not ) a privacy related issue themselves in the same week.

Sure, what’s your point.

A cop accidentally injures someone in a car accident and then arrests someone for assault the same day. How dare she! She should wait a week before making the arrest! Or she should let him go because she isn’t perfect!



I don’t understand your logic one bit. There’s a reason the law makes a distinction between intentional behavior and accidental behavior. Doing something accidentally is not morally wrong. Doing something intentionally may be.

 

[jtara]

Huh? I get the what from Apple? Apple has what?

Edited. The letter "m" got dropped from the word "them".

"You get them from Apple".

From context, it should be understood that them is "Enterprise Certificate".

"I think Apple has this" - "xyz has this", "We've got that", etc. it's an idiom common in North American English speech. It is similar in meaning to "piece of cake". (Not "pie"... 2001 reference...) "no problem here, it is easily done!"

хорошего дня!

 

[NT1440]

Not sure your interpretation is accurate. They were paying young people... teens, not children... who were voluntarily installing this app in exchange for $20. They were not maliciously "spying on children". Your description definitely sounds creepy. Maybe read the article again to be sure?

Teens are kids. Unless they’re 18. You’re making a distinction without a difference.

Couple that with the recent stories that Facebook was knowingly allowing children (even in your definition of the word) to make purchases in games via their parents (without parental consent beyond the credit card being tied to the account) are we really to trust that further investigation isn’t going to find a good portion of those enrolled in this spying program aren’t under 13 (which again, what even 17 year old has the sense to really understand the pernicious nature of this program)?

 

[cmaier]

Edited. The letter "m" got dropped from the word "them".

"You get them from Apple".

From context, it should be understood that them is "Enterprise Certificate".

"I think Apple has this" - "xyz has this", "We've got that", etc. it's an idiom common in North American English speech. It is similar in meaning to "piece of cake". (Not "pie"... 2001 reference...) "no problem here, it is easily done!"

хорошего дня!

I’m from North America and english is my first language, so not sure why you are giving me a language lesson when you’re the one who wrote the unparseable sentence.

Ok, i understand you get the certificates from apple. I never said otherwise. As a developer that’s where i get them, too. And apple can revoke them and prevent facebook from getting new ones. So I’m not sure what your point is.

 

[NT1440]

So, this week; Facebook pay users for data, where a user has installed an app, just that Apple didn’t approve and they circumvented that with a misuse of a certificate. Apple let anyone who knows my cell number access my camera and mic ... I don’t think this week is the one for Apple to play high and mighty with Privacy. Both companies got caught out this week!

Except one is clearly a bug, while the other is *going out of the way to direct users to an outside site to install a certificate solely to collect data*.

I don’t know what kind of world you live in, but to weight those two as the same malicious behavior is quite a logical leap.

 

[Scooz]

Apple didn’t “let” that happen. It was a mistake. It was not intentional. By your logic, a driver who accidentally kills someone when they skid out on an ice patch cannot be opposed to murder.

What ice patch? Apple put a lousy car with loosened wheels and wobbly steering on a public road and nearly injured milions because of that. Just that they were lucky to be forced to a halt before they hit a curve.

I agree that its totally different from Facebook (lousyness vs. intention), but it’s still not some „unknowing guy on an ice patch“ thing.

 

[cmaier]

What ice patch? Apple put a lousy car with loosened wheels and wobbly steering on a public road and nearly injured milions because of that. Just that they were lucky to be forced to a halt before they hit a curve.

I agree that its totally different from Facebook (lousyness vs. intention), but it’s still not some „unknowing guy on an ice patch“ thing.

Fine, it’s a matter of degree. My point is only that INTENTIONALLY doing something is very different than accidentally doing something. Building an entire business model around doing a thing is very different than not having sufficient processes in place to prevent it from happening sometimes by accident.

And the suggestion that apple should do NOTHING to facebook because Apple had a bug is ridiculous, and the kind of thing only a Facebook employee would believe.

 

[NT1440]

What ice patch? Apple put a lousy car with loosened wheels and wobbly steering on a public road and nearly injured milions because of that. Just that they were lucky to be forced to a halt before they hit a curve.

I agree that its totally different from Facebook (lousyness vs. intention), but it’s still not some „unknowing guy on an ice patch“ thing.

Are you familiar with the steps it takes to do the FaceTime bug? Obviously Apple needs to do better in their QA testing for these extreme edge case usages, but who would ever think to add their own number to a FaceTime chat when you’re the one originating the call already? It’s a bug, a bad one at that, but no one would be using this sequence of steps unless it was explicitly chasing down vulnerabilities.

 

[sir1963nz]

Delete Facebook

That was done years ago on my IOS devices.
I also have a large hosts file from https://someonewhocares.org/hosts/ which I have added to and I run Ghostery etc on my computers.
When my Grandchildren visit they are horrified to find that Facebook does not work for them.

 

[w5jck]

Good job, now get rid of Facebook altogether.

And replace it with what? As much as I hate Facebook and ZuckerTURD, there is NO viable option out there at the moment for people my age--60 something. Trying to get all my family and friends, most of whom are my age or older to switch to another social connection app just WON'T happen, E V E R! It took forever to get them to even use Facebook in the first place, and many still don't, won't, don't know how to do much of anything with computers, tablets, smartphones. I've always been a techie nerd, but most of the people of my Babyboomer generation are not, by any stretch of the imagination. We learned to do calculus with slide rulers, not pocket calculators. We were already out of high school before the first affordable, prebuilt and assembled personal computers even hit the market. Most of my generation didn't even have personal email capability until the late 1990s or beyond. Millennials can certainly adapt much better the Babyboomers when it comes to high technology because they were born with a smartphone in one hand and a were tweeting in their momma's womb! To completely abolish Facebook from all Apple devices would be a stupid act of extreme over kill, and it would overly inconvenience a heck of a lot people whose only connection with far away friends and family is, unfortunately, via Facebook . Banning all the rest of the Facebook data mining apps on the other hand is a smart idea IMO.

 

[archer75]

It’s true Facebook abuses people’s privacy beyond belief. But what’s also true is Apple have picked a week where a bug in their software had potentially far wider privacy implications to punish Facebook.

That's really irrelevant. The timing means nothing. 2 wrongs don't make a right!

What facebook did was intentional. Apples bug was just that, a bug.

 

[cjake]

Facebook pays the customers that install the App. Facebook may have argued this makes them paid company beta testers and thus were not breaking rules regarding installation of internal apps using an Apple generated enterprise developer certificate. They are Facebook employees!

 

[BJMRamage]

well...at least those kids got PAID for giving out that info...most people use facebook and give it out without being paid.

 

[cmaier]

I blasted Apple with the rest of them (re: the FaceTime bug, last year’s null login bug, etc.). But the weird false-equivalencies people here are trying to make between Apple’s occasional flaws and Facebook’s intentional business model are just plain strange. They remind me of Zuckerberg trying to equate Apple’s behavior with Facebook’s. It’s just wrong. I wonder how many facebook employees post here
[doublepost=1548878611][/doublepost]

Facebook pays the customers that install the App. Facebook may have argued this makes them paid company beta testers and thus were not breaking rules regarding installation of internal apps using an Apple generated enterprise developer certificate. But they are employees!

THen i’m sure facebook filed w-2s and withheld payroll taxes and such ;-)

 

[jtara]

they were smart they would have had two active enterprise distribution certificates. One for signing internal apps and one for signing external “research program” apps. That way when apple revoked their certificate, all there internal apps would not have been bomb’d.

It doesn't work that way. You can only have ONE iOS Distribution Certificate. They do have to be renewed yearly, but you have to revoke the old one in the process of creating the new one. (Or wait for it to expire.) I just recently did this.

Your apps on the App Store continue to work when you revoke the old one. But you cannot upload new apps signed with the old certificate. You need to re-build the app(s) and sign with the new certificate. So, the next time you update apps, you have to re-build with the new signature.

If APPLE revokes the certificate, it is a different story. They can revoke it in such a way that already-installed apps will cease to run.

For Google Play, it is a BIT different. You can have TWO certificates. The explicit purpose of having two, though, is to bridge the gap when renewing every year. It would be a mis-use to segregate apps between different signatures.

Having TWO Enterprise Programs would be a violation of the Enterprise Program rules, as well. It would of course be easy to accomplish through an affiliated company without disclosing the connection.

Whoever wrote about arbitrarily creating multiple distribution certificates at will doesn't know what they are talking about. Or, they are confusing them with Provisioning Profiles. a Provisioning Profile can be shared among apps, or you can create one for each app. But every Provisioning Profile has to be associated (for Distribution) with your one and only Distribution Certificate.

There are also Development Certificates. You can have many, but they are intended only for developer testing. Normally, each individual developer has their own. (Depends on company policy, though.) They give a scant few additional Super Cow Powers, there is no review, but they can ONLY be side-loaded by USB or WiFi with the device UDID enrolled first on the Apple Developer portal. You can enroll 1,000 devices of each type. (phone, tablet, tv, watch).

Finally, there is AdHoc Distribution. For normal Developer Program, this has the same 1,000 device limit. You can distribute internally/to others for testing purposes. Does not have any Super Cow Powers. AdHoc is also signed with your Distribution (not Developer) certificate.

(An example of a Super Cow Power is the ability to inspect an embedded uiWebView or wkWebView with desktop Safari.)