Apple Shut Down All of Facebook's Internal Apps When Revoking Enterprise Certificate [Update: Fixed]

[Scooz]

Are you familiar with the steps it takes to do the FaceTime bug? Obviously Apple needs to do better in their QA testing for these extreme edge case usages, but who would ever think to add their own number to a FaceTime chat when you’re the one originating the call already? It’s a bug, a bad one at that, but no one would be using this sequence of steps unless it was explicitly chasing down vulnerabilities.

I am, are you? Do you understand the underlying pile of failure to get to such a point?

It‘s an app that starts a whole conferencing stack behind an „incoming call“ screen that stays there for hours. You can‘t really defend that happening in a privacy relevant system app using privacy-relevant resources. There are no interaction checks like we have for years on desktop systems. No forced hang-uo on the press of the power button. Nothing. This was no bug, this was a house of fiddly cards, crashing.

I think in the „mum‘s video“ they just added another person, his sister, btw. Might be wrong here, but have a look youself.

 

[sir1963nz]

So people with Facebook App to use FB can not launch it or just won't update? I don't use it, I'm just curious.

The facebook App from the App Store works just fine and is not impacted.

This is about the Apps the facebook can "allow" its self for internal use. This is for custom Apps that a lot of companies use for internal use only, for example if they have a private bus service for staff to get to/from work and they want that timetable to be available to their employees. They can create the App, sign the App and install the App all without Apple intervention. These Apps can have TOTAL access to everything on the device, photos, browser history, microphone, camera, etc etc etc.

facebook by distributing this (and I am sure their argument is because they paid $20-$30 a month they were "employees" or "contractors" broke the rules and intent of the agreement they have with Apple that allows this, so Apple cut their access off for internal Apps.

 

[archer75]

well...at least those kids got PAID for giving out that info...most people use facebook and give it out without being paid.

The difference is facebook didn't tell them what they were doing.

 

[NT1440]

I am, are you? Do you understand the underlying pile of failure to get to such a point?

It‘s an app that starts a whole conferencing stack behind an „incoming call“ screen that stays there for hours. You can‘t really defend that happening in a privacy relevant system app using privacy-relevant resources. There are no interaction checks like we have for years on desktop systems. No forced hang-uo on the press of the power button. Nothing. This was no bug, this was a house of fiddly cards, crashing.

.

Your very last sentence gives away that it’s clearly a bug from what you are describing as poor architecture. It may be a shittily built program (your description leads me to believe that you have far more insight on that than I) but you can’t claim that this was ever intended behavior so by definition it would be a bug (again brought on from poor design choices), no?

 

[djphat2000]

Yikes. Seems like taking out a hornets nest with an atom bomb.

That will teach those pesky hornets.

 

[Scooz]

Fine, it’s a matter of degree. My point is only that INTENTIONALLY doing something is very different than accidentally doing something. Building an entire business model around doing a thing is very different than not having sufficient processes in place to prevent it from happening sometimes by accident.

And the suggestion that apple should do NOTHING to facebook because Apple had a bug is ridiculous, and the kind of thing only a Facebook employee would believe.

Totally agree on both.

Apple enterprise certificates are misused too often anyway. Stems from their policy, but some big players seem to get away, smaller entities might not even get one. Looks wrong. So I am glad Apple showed some attitude here.

 

[MagicBoy]

Lets face it, no one else is going to take the proverbial on this scale with Apple again. They've shown they'll use the kill switch, even if it was a limited scope.

 

[Kabeyun]

Yikes. Seems like taking out a hornets nest with an atom bomb.

What did FB think was going to happen when they screwed with Apple and it’s customers? Did they think Apple wouldn’t find out? Did they think Apple has no track record of giving a crap about customers’ privacy? Did they think Apple doesn’t have a track record of coming down on those who flaunt their TOS and EULAs?

Do you think it’s now Apples job to babysit FB certificate deployment? FB proves over and over they can’t be trusted, and now they’ve got to sleep in the bed they’ve made. Rotten to the core, the core being Zuck’s soulless stank.

This is total comeuppance, and we’re all cheering on Apple. Except a few of us, that is. Crash & burn, Facebook. Burn.

 

[jtara]

I’m from North America and english is my first language, so not sure why you are giving me a language lesson when you’re the one who wrote the unparseable sentence.

Ok, i understand you get the certificates from apple. I never said otherwise. As a developer that’s where i get them, too. And apple can revoke them and prevent facebook from getting new ones. So I’m not sure what your point is.

I dropped a single letter, "m", and fixed it when you pointed it out. My fingers (or keyboard) - not my English - are to blame.

There are no certificates, plural. You get one at any one time.

"They've got that" implies that I am certain that Apple can easily block them from getting a new one to replace the revoked one. There is no simplistic loophole for Facebook to employ, as you have implied.

 

[Kabeyun]

Facebook's lack of respect ... give me a break … Apple ain't no saint.

I’ll add this absurd remark to the long list of false equivalences and whataboutisms I’ve come across here.

 

[rtomyj]

Could you point me in the direction of the information about Google going around Apples poicies to take data please.

Google isn't a saint, but next to Facebook they certainly look that way. Google is slowly moving their income stream away from customer data trend advertising and over to services (Google Cloud, GSuite and other Enterprise stuff). Facebook meanwhile is owning the malware category.

Oh boy did I get lucky today! https://www.macrumors.com/2019/01/30/google-exploiting-apple-enterprise-certificate/

Also, http://www.winingerlawfirm.com/google-in-hot-water-over-safari-exploit/

Want moar?

 

[cmaier]

I dropped a single letter, "m", and fixed it when you pointed it out. My fingers (or keyboard) - not my English - are to blame.

There are no certificates, plural. You get one at any one time.

"They've got that" implies that I am certain that Apple can easily block them from getting a new one to replace the revoked one. There is no simplistic loophole for Facebook to employ, as you have implied.

Three things:

1) no, i didn't imply that. What i was saying is that apple had to revoke all the certificates and block new ones to prevent facebook from being bad. I didn't suggest or imply that apple would have any difficulty doing so.

2) I spelled the word "unparseable." This is an accepted variation, often used by technical folks (like me). See, e.g.:

https://www.yourdictionary.com/unparseable
https://glosbe.com/en/en/unparseable

3) you can easily get more than one enterprise certificate. Particularly a company with multiple subsidiaries and affiliates - each can get a certificate. Facebook has dozens of such affiliates, I'm sure.

 

[Scooz]

Your very last sentence gives away that it’s clearly a bug from what you are describing as poor architecture. It may be a shittily built program (your description leads me to believe that you have far more insight on that than I) but you can’t claim that this was ever intended behavior so by definition it would be a bug (again brought on from poor design choices), no?

I only argued against the understating „simple bug“ theory, not against the obvious difference between a failure and an intentional attack.

Though, now that I think about it, I might see lousy handling of my data or privacy by a trusted provider as being quite close to intentionally hurting me by not caring (or giving a damn)...

So there might be a misuse of trust being the element that very loosely connects those two events, if only from a certain perspective.

 

[jtara]

you can easily get more than one enterprise certificate

No.

One might abuse the program, though, to sign-up for more than one Enterprise Program, though. Each one gets ONE certificate. They would pay $299/year (which I assume they can afford...) for each one.

The rules are clear that - for example - getting one of a separate physical location or campus is not a legitimate use.

A legitimate use would be a separate operating company. So, for example, you don't mix Facebook's peanut butter with Whatsapp's jelly when you order lunch. (Though I think Whatsapp has ceased to operate as a separate company, so bad example.)

, i didn't imply that. What i was saying is that apple had to revoke all the certificates and block new ones to prevent facebook from being bad.

There was only one to revoke. There is no plural.

 

[Kabeyun]

Oh boy did I get lucky today! https://www.macrumors.com/2019/01/30/google-exploiting-apple-enterprise-certificate/

Also, http://www.winingerlawfirm.com/google-in-hot-water-over-safari-exploit/

Want moar?

In a rare moment, I actually chuckled out loud.

 

[cmaier]

No.

One might abuse the program, though, to sign-up for more than one Enterprise Program, though. Each one gets ONE certificate. They would pay $299/year (which I assume they can afford...) for each one.

The rules are clear that - for example - getting one of a separate physical location or campus is not a legitimate use.

A legitimate use would be a separate operating company. So, for example, you don't mix Facebook's peanut butter with Instagram's jelly when you order lunch. (Though I think Instagram has ceased to operate as a separate company, so bad example.)



There was only one to revoke. There is no plural.

Each facebook subsidiary or affiliate can have its own certificate. You have no idea how many certificates "facebook" as a whole had. I think facebook can afford the $299 for each of its subsidiaries and sibling companies.

Pull a DB on facebook and you'll see dozens of operating companies.

 

[justperry]

And replace it with what? As much as I hate Facebook and ZuckerTURD, there is NO viable option out there at the moment for people my age--60 something. Trying to get all my family and friends, most of whom are my age or older to switch to another social connection app just WON'T happen, E V E R! It took forever to get them to even use Facebook in the first place, and many still don't, won't, don't know how to do much of anything with computers, tablets, smartphones. I've always been a techie nerd, but most of the people of my Babyboomer generation are not, by any stretch of the imagination. We learned to do calculus with slide rulers, not pocket calculators. We were already out of high school before the first affordable, prebuilt and assembled personal computers even hit the market. Most of my generation didn't even have personal email capability until the late 1990s or beyond. Millennials can certainly adapt much better the Babyboomers when it comes to high technology because they were born with a smartphone in one hand and a were tweeting in their momma's womb! To completely abolish Facebook from all Apple devices would be a stupid act of extreme over kill, and it would overly inconvenience a heck of a lot people whose only connection with far away friends and family is, unfortunately, via Facebook . Banning all the rest of the Facebook data mining apps on the other hand is a smart idea IMO.

Short answer, Facebook will be history within a decade, so start looking for alternatives.
People coped without it, they will do perfectly fine by using other means of communication.

 

[rtomyj]

In a rare moment, I actually chuckled out loud.

As did I my friend. As did I.

 

[jtara]

https://www.macrumors.com/2019/01/30/google-exploiting-apple-enterprise-certificate/

As I suggested yesterday on the first thread:

More shoes to drop. This is only the beginning.

Several "beta testing" companies to go down next!

As well, which other whales have been abusing this?

 

[TouchMint.com]

This is badass. Apple able to punish them where the government couldn’t even succeed. Not having internal testing apps is a huge deal they are losing millions a day easy.

 

[twolf2919]

Seems a tad harsh. All they did was circumvent Apple's privacy guidelines

Nonsense. They violated their enterprise license. It's against this license to use enterprise side-loading to distribute applications to consumers. Taking users' private data is just the usual Facebook business model.

 

[outskirtsofinfinity]

The fact that Apple is willing to "work closely" with Facebook is shocking and, in my opinion, unacceptable. They're in cahoots with crooks! I am slowly losing trust in Apple. Why is the FB App even still on the App Store? Is it about money?

> Update: Facebook says it is "working closely" with Apple​

 

[cmaier]

The fact that Apple is willing to "work closely" with Facebook is simply unacceptable.

The only one saying that is happening is Facebook. You believe them?

 

[jtara]

Each facebook subsidiary or affiliate can have its own certificate. You have no idea how many certificates "facebook" as a whole had.

The certificate comes as an artifact of the Enterprise Program agreement. You can't just get "another certificate". You have to sign an agreement, and pinky-swear that it's not a duplicate. If an affiliated company, you have to pinky-swear to an arms-length relationship.

You are conflating certificates with contracts.

The use case is abusive of the program in ANY case.

Yes, Facebook AND Google were stupid to use the Enterprise Program that they also use for internal apps to do this. If you are going to cheat, I say go all out!

Plus, I'm sure that NSA could have handed them a nice, pre-packaged shell company with absolutely no traceability, just for the asking. Just sayin.'

It shouldn't matter, though. I suspect Apple has the legal right to cancel all of the Enterprise Agreements given the usage, which is not in accordance with the terms of the agreement.

 

[KPandian1]

Though, now that I think about it, I might see lousy handling of my data or privacy by a trusted provider as being quite close to intentionally hurting me by not caring (or giving a damn)…

You are confabulating premeditated with accidental. Yes, death (or injury) is the consequence, but there is a difference.