You're avoiding the question.
The question is, if Google are so evil then why do Apple accept money to make Google the default in its product? The left hand can't demonize someone while the right hand takes bribery money from the same person.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Shuts Down All of Google's Internal Apps for Abusing Enterprise Certificate [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
You're avoiding the question.
The question is, if Google are so evil then why do Apple accept money to make Google the default in its product? The left hand can't demonize someone while the right hand takes bribery money from the same person.
Because Apple only cares enough about privacy insofar as it is able to market privacy as a way to make money. Make no mistake, while Apple values your privacy, it does not value it as much as most here would think.
Correct. Group facetime is where the bug is.
And yes, it's not the same thing at all. Not even remotely.
[doublepost=1549041329][/doublepost]
I don't disagree. But as long as they value it, no matter the reasons, it's a good thing. As soon as they don't, well, i'll have a choice to make.
Funny how this is news when it happens on iOS, but on android/anything google the expectation is simply you ARE being spied on and anything and every IS tracked regardless...
Then again, when your business model is giving away junk for free, something has to be the product. That’s you, the user of their junk.
Then again, when your business model is giving away junk for free, something has to be the product. That’s you, the user of their junk.
Actually, that's yet ANOTHER abuse of the Enterprise Program.
You are supposed to use Testflight for testing builds of your beta apps. Not Enterprise Program.
However, Testflight has a limitation of 10,000 users. A big company like Google or Facebook might have more than 10,000 employees they want to use as guinea-pigs. And also might want to make absolutely sure that betas meant for distribution to employees only goes to employees only. (Enterprise apps are not downloaded from the App Store or Test Flight, but from an internal App Store.)
This one is less troubling, but - still - is not in compliance withe the Enterprise Program agreement.
I notice a lot of the press accounts are quite confused and confusing. A CNN report said that Google "couldn't" run beta tests because of the cancellation. And implied that's the purpose of the Enterprise Program. Of course they could. They just needed to use Testflight, like everybody else does.
I don't think it's that simple. Facebook and Google have a wide range of apps that people love and use. If you cut those out permanently, that could eat into iPhone sales. It's asking a lot to just cut them out entirely. That wouldn't be a decision they would make on a whim.
Tomorrow's headline:
Google Has Removed All Apple Products From Search Results
"We prefer to show our users the most up-to-date information, and Apple hardware just doesn't fit that description."
Google Has Removed All Apple Products From Search Results
"We prefer to show our users the most up-to-date information, and Apple hardware just doesn't fit that description."
Good. I wouldn't use Facebook at all if it wasn't for two core groups I"m apart of, and my business using them for advertising. Google is better, but only slightly. The fact that tech people are so fond of google while dissing apple (epically around their phones) is insane to me. Yes, the camera's a little better for low light. You know what? I'll take privacy and reliability over a pixel any day. Besides, hopefully by next year apple's caught up with their camera's and then its a win win for using iPhones 
Not quite that simple.
TestFlight Beta Testing is an Apple product that makes it easy to invite users to test your iOS, watchOS and tvOS apps before you release them to the App Store.
What Facebook and Google are doing has nothing to do with Beta testing. Besides this way they would not be able to offer the incentives to the customers. Are you sure Apple would not shut them down if they discovered this type of use for TestFlight? The issue demonstrates the limits of App Store approach (when other mechanisms of app installations are not allowed). Android has a clear advantage here. On a side note, I would not be surprised if the companies started incentivizing their employees to purchase Android devices (or at least avoid Apple for purchasing company devices).
[doublepost=1549047999][/doublepost]
I see your point to a degree. However, user privacy belongs to the user not Apple. In this case users want to share certain data (there might be various reasons for that, compensation being one of them). Apple prevents the users from doing it. This is improper intervention in the people lives. For example, would we want the government banning TV channels paid for by advertising?
I don't think they were implying that FB/Google should have used TestFlight instead. They were just pointing out the purposes of each program:
- TestFlight is for external testing of betas with the intention of eventual release on the App Store
- Enterprise is for internal apps, for use by your employees
It would be an obvious abuse of TestFlight to use it to collect data that would be disallowed in the App Store. It would be a case of "bad faith". And Apple would likely catch it anyway, since TestFlight releases ARE vetted by Apple before they are released for test.
BTW, it is explicitly prohibited to take payment in connection with TestFlight releases. I dunno about the other way around - making payment to a TestFlight app user. I didn't investigate that, because it's not applicable to my use case.
I think there is still a shoe or a dozen to drop with regard to what I perceive as bogus outside "testing" companies that use Enterprise certificates!
There is a difficult spot in the Enterprise Program for enterprise apps that companies would like to be used by outsiders that they do business with. I suspect Apple winks and nods on a case-by-case basis. But who knows, there may be a whole shoe tree yet to drop.
For example, an Uber driver is not an employee of Uber. But Uber is taking no chances - at least currently. The Uber Driver App is available in the app store. I've a friend who once drove for Uber. At the time, they had them go into the office and load over a USB connection. They MIGHT have gotten slapped for that.
So, Uber Driver is an App Store app, and Uber has to make sure it has sufficient security so that it is not hacked. Putting it behind an Enterprise Store would give them a modicum of extra security, but is not something possible under the terms of the Enterprise Program.
I've dealt with this very issue myself, I feel we made the right decision by putting the app in the App Store, and not taking chances.
1. You can't apply the hypothetical scenario of Google blocking Apple and at the same time maintain the status quo of a world where Google is on Apple devices. You have to equally apply what affect that would have on Google. If Google pulled YouTube for example, all the big content creators would go somewhere else where they can reach all of their viewers. Advertisers who favour Apple users (Apple users spend 2:1 more than Android users), would advertise on other platforms where they can reach a universal audience.
2. Why would Google leaving make Apple a walled garden? It would be the same Apple it is today, just without Google. Facebook, Instagram, Microsoft, Vimeo and hundreds of other third party apps in the world's biggest App Store would be still be a part of the ecosystem.
3. Google on the other hand would have abdicated access to its highest spending demographic. If you want to ask anybody how valuable Apple is to Google, ask Google: they spend $9 billion dollars a year, just for preferred placement in Safari.
None of this is going to happen because Google isn't stupid but if Google were to pull all their apps from iOS, you can bet your life that eager competitors like Facebook, Instagram, Microsoft, Vimeo, etc would gladly fill the void.
This is a very good explanation of the issue: https://techcrunch.com/2019/02/01/f...ed&utm_campaign=Feed:+Techcrunch+(TechCrunch)
Facebook and Google landed in hot water with Apple this week after two investigations by TechCrunch revealed the misuse of internal-only certificates — leading to their revocation, which led to a day of downtime at the two tech giants.
Confused about what happened? Here’s everything you need to know.
How did all this start, and what happened?
On Monday, we revealed that Facebook was misusing an Apple-issued certificate that is only meant for companies to use to distribute internal, employee-only apps without having to go through the Apple App Store. But the social media giant used that certificate to sign an app that Facebook distributed outside the company, violating Apple’s rules.
The app, known simply as “Research,” allowed Facebook access to all the data flowing out of the device it was installed on. Facebook paid users — including teenagers — $20 per month to install the app. But it wasn’t clear exactly what kind of data was being vacuumed up, or for what reason.
It turns out that the app was a repackaged app that was effectively banned from Apple’s App Store last year for collecting too much data on users.
Apple was angry that Facebook was misusing its special-issue certificates to push an app it already banned, and revoked it — rendering the app useless. But Facebook was using that same certificate to sign its other employee-only apps, effectively knocking them offline until Apple re-issued the certificate.
Then, it turned out Google was doing almost exactly the same thing with its Screenwise app, and Apple’s ban-hammer fell again.
What’s the controversy over these certificates and what can they do?
If you want to develop Apple apps, you have to abide by its rules.
A key rule is that Apple doesn’t allow app developers to bypass the App Store, where every app is vetted to ensure it’s as secure as it can be. It does, however, grant exceptions for enterprise developers, such as to companies that want to build apps that are only used internally by employees. Facebook and Google in this case signed up to be enterprise developers and agreed to Apple’s developer terms.
Apple granted each a certificate that grants permission to distribute apps they develop internally — including pre-release versions of the apps they make, for testing purposes. But these certificates aren’t allowed to be used for ordinary consumers, as they have to download apps through the App Store.
Why is “root” certificate access a big deal?
Because Facebook’s Research and Google’s Screenwise apps were distributed outside of Apple’s App Store, it required users to manually install the app — known as sideloading. That requires users to go through a convoluted few steps of downloading the app itself, and opening and installing either Facebook or Google’s certificate.
Both apps then required users to open another certificate — known as a VPN configuration profile — allowing all of the data flowing out of that user’s phone to funnel down a special tunnel that directs it all to either Facebook or Google, depending on the app you installed.
This is where Facebook and Google’s cases differ.
Google’s app collected data and sent it off to Google for research purposes, but couldn’t access encrypted data — such as iMessages, or other end-to-end encrypted content.
Facebook, however, went far further. Its users were asked to go through an additional step to trust the certificate at the “root” level of the phone. Trusting this “root certificate” allowed Facebook to look at all of the encrypted traffic flowing out of the device — essentially what we call a “man-in-the-middle” attack. That allowed Facebook to sift through your messages, your emails, and any other bit of data that leaves your phone. Only apps that use certificate pinning — which reject any certificate that isn’t its own — were protected.
Facebook’s Research app requires Root Certificate access, which Facebook gather almost any piece of data transmitted by your phone. (Image: supplied)
Google’s app might not have been able to look at encrypted traffic, but the company still flouted the rules and got its certificate revoked anyway.
What data did Facebook have access to on iOS?
It’s hard to know for sure, but it definitely had access to more data than Google.
Facebook said its app was to help it “understand how people use their mobile devices.” In reality, at root traffic level, Facebook could have accessed any kind of data that left your phone.
Will Strafach, a security expert who we spoke to for our story, said: “If Facebook makes full use of the level of access they are given by asking users to install the certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.”
Remember: this isn’t “root” access to your phone, like jailbreaking, but root access to the network traffic.
How does this compare to the technical ways other market research programs work?
In fairness, these aren’t market research apps unique to Facebook or Google. Several other companies, like Nielsen and comScore, run similar programs, but neither ask users to install a VPN or provide root access to the network.
In any case, Facebook already has a lot of your data — as does Google. Even if the companies only wanted to look at your data in aggregate with other people, it can still hone in on who you talk to, when, for how long, and in some cases what about. It might not have been such an explosive scandal had Facebook not spent the last year cleaning up after several security and privacy breaches.
Mark Zuckerberg is ‘proud’ of how Facebook handled its scandals this year
Can they capture the data of people the phone owner interacts with?
In both cases, yes. In Google’s case, any unencrypted data that involves another person’s data could have been collected. In Facebook’s case, it goes far further — any data of yours that interacts with another person, such as an email or a message, could have been collected by Facebook’s app.
How many people did this affect?
It’s hard to know for sure. Neither Google nor Facebook have said how many users they have. Between them, it’s believed to be in the thousands. As for the employees affected by the app outages, Facebook has more than 35,000 employees and Google has more than 94,000 employees.
Why did internal apps at Facebook and Google break after Apple revoked the certificates?
You might own your Apple device, but Apple still gets to control what goes on it.
After Facebook was caught out, Apple said: “Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” That meant any app that relied on the certificate — including inside the company — would fail to load. That’s not just pre-release builds of Facebook, Instagram and WhatsApp that staff were working on, but reportedly the company’s travel and collaboration apps were down. In Google’s case, even its catering and lunch menu apps were down.
Facebook’s internal apps were down for about a day, while Google’s internal apps were down for a few hours. None of Facebook or Google’s consumer services were affected, however.
How are people viewing Apple in all this?
Nobody seems thrilled with Facebook or Google at the moment, but not many are happy with Apple, either. Even though Apple sells hardware and doesn’t use your data to profile you or serve you ads — like Facebook and Google do — some are uncomfortable with how much power Apple has over the customers — and enterprises — that use its devices.
In revoking Facebook and Google’s enterprise certificates and causing downtime, it has a knock-on effect internally.
Is this legal in the U.S.? What about in Europe with GDPR?
Well, it’s not illegal — at least in the U.S. Facebook says it gained consent from its users. The company even said its teenage users must obtain parental consent, even though it was easily skippable and no verification checks were made. It wasn’t even explicitly clear that the children who “consented” really understood how much privacy they were really handing over.
Facebook’s VPN app puts spotlight on kids’ consent
That could lead to major regulatory headaches down the line. “If it turns out that European teens have been participating in the research effort Facebook could face another barrage of complaints under the bloc’s General Data Protection Regulation (GDPR) — and the prospect of substantial fines if any local agencies determine it failed to live up to consent and ‘privacy by design’ requirements baked into the bloc’s privacy regime,” wrote TechCrunch’s Natasha Lomas.
Who else have been misusing certificates?
Don’t think that Facebook and Google are alone in this. It turns out that a lot of companies might be flouting the rules, too.
According to many finding companies on social media, Sonos uses enterprise certificates for its beta program, as does finance app Binance, as well as DoorDash for its fleet of contractors. It’s not known if Apple will also revoke their certificates.
Facebook and Google landed in hot water with Apple this week after two investigations by TechCrunch revealed the misuse of internal-only certificates — leading to their revocation, which led to a day of downtime at the two tech giants.
Confused about what happened? Here’s everything you need to know.
How did all this start, and what happened?
On Monday, we revealed that Facebook was misusing an Apple-issued certificate that is only meant for companies to use to distribute internal, employee-only apps without having to go through the Apple App Store. But the social media giant used that certificate to sign an app that Facebook distributed outside the company, violating Apple’s rules.
The app, known simply as “Research,” allowed Facebook access to all the data flowing out of the device it was installed on. Facebook paid users — including teenagers — $20 per month to install the app. But it wasn’t clear exactly what kind of data was being vacuumed up, or for what reason.
It turns out that the app was a repackaged app that was effectively banned from Apple’s App Store last year for collecting too much data on users.
Apple was angry that Facebook was misusing its special-issue certificates to push an app it already banned, and revoked it — rendering the app useless. But Facebook was using that same certificate to sign its other employee-only apps, effectively knocking them offline until Apple re-issued the certificate.
Then, it turned out Google was doing almost exactly the same thing with its Screenwise app, and Apple’s ban-hammer fell again.
What’s the controversy over these certificates and what can they do?
If you want to develop Apple apps, you have to abide by its rules.
A key rule is that Apple doesn’t allow app developers to bypass the App Store, where every app is vetted to ensure it’s as secure as it can be. It does, however, grant exceptions for enterprise developers, such as to companies that want to build apps that are only used internally by employees. Facebook and Google in this case signed up to be enterprise developers and agreed to Apple’s developer terms.
Apple granted each a certificate that grants permission to distribute apps they develop internally — including pre-release versions of the apps they make, for testing purposes. But these certificates aren’t allowed to be used for ordinary consumers, as they have to download apps through the App Store.
Why is “root” certificate access a big deal?
Because Facebook’s Research and Google’s Screenwise apps were distributed outside of Apple’s App Store, it required users to manually install the app — known as sideloading. That requires users to go through a convoluted few steps of downloading the app itself, and opening and installing either Facebook or Google’s certificate.
Both apps then required users to open another certificate — known as a VPN configuration profile — allowing all of the data flowing out of that user’s phone to funnel down a special tunnel that directs it all to either Facebook or Google, depending on the app you installed.
This is where Facebook and Google’s cases differ.
Google’s app collected data and sent it off to Google for research purposes, but couldn’t access encrypted data — such as iMessages, or other end-to-end encrypted content.
Facebook, however, went far further. Its users were asked to go through an additional step to trust the certificate at the “root” level of the phone. Trusting this “root certificate” allowed Facebook to look at all of the encrypted traffic flowing out of the device — essentially what we call a “man-in-the-middle” attack. That allowed Facebook to sift through your messages, your emails, and any other bit of data that leaves your phone. Only apps that use certificate pinning — which reject any certificate that isn’t its own — were protected.
Facebook’s Research app requires Root Certificate access, which Facebook gather almost any piece of data transmitted by your phone. (Image: supplied)
Google’s app might not have been able to look at encrypted traffic, but the company still flouted the rules and got its certificate revoked anyway.
What data did Facebook have access to on iOS?
It’s hard to know for sure, but it definitely had access to more data than Google.
Facebook said its app was to help it “understand how people use their mobile devices.” In reality, at root traffic level, Facebook could have accessed any kind of data that left your phone.
Will Strafach, a security expert who we spoke to for our story, said: “If Facebook makes full use of the level of access they are given by asking users to install the certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.”
Remember: this isn’t “root” access to your phone, like jailbreaking, but root access to the network traffic.
How does this compare to the technical ways other market research programs work?
In fairness, these aren’t market research apps unique to Facebook or Google. Several other companies, like Nielsen and comScore, run similar programs, but neither ask users to install a VPN or provide root access to the network.
In any case, Facebook already has a lot of your data — as does Google. Even if the companies only wanted to look at your data in aggregate with other people, it can still hone in on who you talk to, when, for how long, and in some cases what about. It might not have been such an explosive scandal had Facebook not spent the last year cleaning up after several security and privacy breaches.
Mark Zuckerberg is ‘proud’ of how Facebook handled its scandals this year
Can they capture the data of people the phone owner interacts with?
In both cases, yes. In Google’s case, any unencrypted data that involves another person’s data could have been collected. In Facebook’s case, it goes far further — any data of yours that interacts with another person, such as an email or a message, could have been collected by Facebook’s app.
How many people did this affect?
It’s hard to know for sure. Neither Google nor Facebook have said how many users they have. Between them, it’s believed to be in the thousands. As for the employees affected by the app outages, Facebook has more than 35,000 employees and Google has more than 94,000 employees.
Why did internal apps at Facebook and Google break after Apple revoked the certificates?
You might own your Apple device, but Apple still gets to control what goes on it.
After Facebook was caught out, Apple said: “Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” That meant any app that relied on the certificate — including inside the company — would fail to load. That’s not just pre-release builds of Facebook, Instagram and WhatsApp that staff were working on, but reportedly the company’s travel and collaboration apps were down. In Google’s case, even its catering and lunch menu apps were down.
Facebook’s internal apps were down for about a day, while Google’s internal apps were down for a few hours. None of Facebook or Google’s consumer services were affected, however.
How are people viewing Apple in all this?
Nobody seems thrilled with Facebook or Google at the moment, but not many are happy with Apple, either. Even though Apple sells hardware and doesn’t use your data to profile you or serve you ads — like Facebook and Google do — some are uncomfortable with how much power Apple has over the customers — and enterprises — that use its devices.
In revoking Facebook and Google’s enterprise certificates and causing downtime, it has a knock-on effect internally.
Is this legal in the U.S.? What about in Europe with GDPR?
Well, it’s not illegal — at least in the U.S. Facebook says it gained consent from its users. The company even said its teenage users must obtain parental consent, even though it was easily skippable and no verification checks were made. It wasn’t even explicitly clear that the children who “consented” really understood how much privacy they were really handing over.
Facebook’s VPN app puts spotlight on kids’ consent
That could lead to major regulatory headaches down the line. “If it turns out that European teens have been participating in the research effort Facebook could face another barrage of complaints under the bloc’s General Data Protection Regulation (GDPR) — and the prospect of substantial fines if any local agencies determine it failed to live up to consent and ‘privacy by design’ requirements baked into the bloc’s privacy regime,” wrote TechCrunch’s Natasha Lomas.
Who else have been misusing certificates?
Don’t think that Facebook and Google are alone in this. It turns out that a lot of companies might be flouting the rules, too.
According to many finding companies on social media, Sonos uses enterprise certificates for its beta program, as does finance app Binance, as well as DoorDash for its fleet of contractors. It’s not known if Apple will also revoke their certificates.
That was a waste of ten minutes. Google dominates the download ranking in almost every category. Other companies are strong, but none dominate video and services in the app store like Google. Google makes the apps people want to use to make iPhones better. Without Google's apps, iOS is a second rate experience.
Poor maps
Poor email
Second rate Photo app
No replacement video service - Youtube is the undisputed champ
The list goes on.
I edited that statement. iPhone is better with Google apps like Gmail, Google Maps, and YouTube.
Heck, the first iPhone shipped with two of those three out of the box because they were (and still are) the best on the market.
I would disagree with that. Maps is fine now. I find for some things it's better than google maps, in others google maps is better. We camp a lot on tow a trailer all over the place. Apple maps works just as well for me.
Email is fine. Not sure what that complaint is. I gave up gmail after using it for more than a decade. No problem. There's nothing i'm missing. Other than google reading my email and advertising to me.
Photo app is fine too. They both have their pros and cons but I don't find one to necessarily be better than the other.
Can't argue about youtube. It's really all there is.
It's just as fine as gmail. I dare say better. What is it that it's missing that the vast majority of people need? Email comes in, read, respond. Same as gmail. What's the issue?
Apple Maps is just as fine as google maps. Both are fine. They both accurately get me to where I need to go. Apple maps displays the info better so it's quicker to see what I need. It's more visaul appealing. And I like how it provides the info for optional routes and the way the optional routes can be viewed.
I like google maps offline mode. Though if they didn't have that i'd probably drop it entirely.
I could choose from several $1000 android phones and have a "fine" experience as well I suppose. Though I can get the apps I want on my iphone as well and have the best of both worlds. Seems like a better value to me.
Last edited:
- Better spam protection
- Better search of emails
- Conversation organization (this is particularly noteworthy compared to Outlook, Mail.app)
- Better labels and filters
- Crazy high free storage space
- Personal Level Indicators
- Trip View
- Google Assistant integration
It took you 10 minutes to read 3 bullet points? Well, that explains your inability to think three dimensionally. You can’t accurately measure a situation in a hypothetical future where Google isn’t available on Apple devices while maintaining the exact conditions for Google as if it were available on all platforms.
Google is successful because it’s universally available. Remove it from all Apple devices and one of the other strong competitors will step in to fill the void and Google won’t be able to compete because they’re not available on Apple devices.
What’s easier? Replacing all your Apple devices, an iPhone, a Mac, an iPad, an Apple Watch... or going to Outlook.com and signing up for a new email address in 5 minutes? Most of the people who are deeply ingrained in Google’s ecosystem are already on Android.