Facebook Paying Teens $20/Month to Install Data Harvesting VPN App on iPhones

MacRumors said:
Enterprise certificates like this are designed to allow companies to distribute internal corporate apps and give full root access to a device.
Click to expand...

This seems to be confusing a root certificate with root access, but they're totally different things.

A root certificate is a top level cryptographic certificate normally used to sign further certificates tied to specific domains. For instance, your browser almost certainly contains a root certificate from GlobalSign, who may then, for instance, use that certificate to sign a certificate tied specifically to the domain google.com. When you then connect to https://www.google.com, your browser knows the remote server can be trusted because it can verify the server's certificate against the already-known root certificate from GlobalSign. (This presumes, of course, that GlobalSign hasn't been compromised and hasn't issued a fraudulent certificate.)

By installing their own root certificate, a third party can impersonate a trusted server under any domain. Combined with a VPN routing all traffic through that third-party's servers, they can intercept and decrypt traffic even to otherwise secure websites.

Root access on the other hand refers to the top-level administrative account on an operating system, and generally allows unfettered access to a device's settings and data.

An enterprise provisioning profile can certainly control a lot of system settings you don't necessarily want a third-party messing with (including installing root certificates and tunneling traffic through a VPN), but it most certainly does not allow root access to the device. Only a jailbreak can do that.
 
fredrik9 said:
Why would Apple care? It is, as far as I can see, voluntary to enter this program. It even says FACEBOOK in capital letters before you approve. Why stop something people do voluntarily?
Click to expand...
First of all, is sufficient explanation being given for genuine informed consent? If not, then this needs to be fixed.

Then there is the question of whether this infection is resulting in the sharing of information from uninformed third parties communicating with infected users. If so, then this is indeed an issue that Apple would presumably be interested in preventing. There should be a requirement that people who have knowingly signed up to data harvesting software should be required to have their systems put up a flag to potential or actual correspondents.

Similarly, I am not sure of the implications of infected users sharing information they may already have on their systems about third parties (both private and commercial) - would those third parties approve of this, and should they be made aware?
 
If Chinese a company did this would be all over the news everywhere and the reaction would be astronomical, with an immediate response by the US Gov and Apple. But a US company, Facebook, it would be mostly glossed over. Nothing much will happen of this, Facebook are definitely finding an alternative sneaky avenue as we speak, with bonuses to the employees who finds it.
 
brofkand said:
Their app doesn't violate Apple's TOS. This isn't an app, though I guess Apple could revoke the certificate they are using for this program. If they use the same cert as their main apps, oh well. Should have thought about that first, Zuckerberg.
Click to expand...
FB doesn’t normally use an enterprise certificate.
 
HiVolt said:
Wow, when will people realize how truly evil Facebook really is.

Apple should make an example of them and ban their app, at least temporarily.
Click to expand...
Actually, if you used an Enterprise certificate, then their Enterprise development account should be closed, and the certificate revoked. Enterprise certificates are there to install applications on devices _within your enterprise only_. So Facebook would be allowed to install this on all iPhones of Facebook employees using it for work, but not outside the Facebook company.
 
maxfromdenmark said:
Unethical and disgusting.
Click to expand...
And 100% unsurprising to anyone not living under a rock for the past 10 years.

I totally saw all of this crap coming. Never had an account on any social media platform. None of them. My opinion it that it’s idiotic. My “social networking” consists of a group text, email, or, *gasp* a bloody phone call. Don’t need a “wall” or a “poke” or a “friend” or a “like” or anything whatsoever that involves turning over detail #1 of my personal life to a platform whose mission is to collect it.

And now that governments see that people don’t care about their privacy, maybe the next round of street corner camera will be aimed at your apartments instead of the sidewalks. Authority will only take what you give them.
 
brendu said:
What moron sells all their personal data for at most $20/month. Good lord people are dumb.
Click to expand...
Go on eBay, buy a cheap iPhone, a pay-as-you-go SIM card, and sell all your personal data from that empty phone for $20/month. Actually buy 50 cheap iPhones, and make $1,000 a month.
 
HJM.NL said:
And that’s the sad state of Apple today. Tim is hard trying to make privacy the next selling point of Apple but when it comes to money, money comes first.
Click to expand...
So Apple profits from Facebook? Details please. Unless you mean that by including the Facebook app in their app store they’re increasing their potential customer base. That’s what you mean, right?
 
palmerc2 said:
Woooooow. So glad I stopped using that crap years ago. I recall reading Facebook could get all your browsing history just by having a tab open....insanity.

719.png
Click to expand...
You forgot to give him lizard eyes ;)

I wish Facebook would focus on optimizing their app for my new iPad Pro.
 
I actually signed up for this a year ago, for $10 a month — though I never followed through because it was too much of a hastle to keep it turned on
 
Never used Facebook because it was evil from the beginning. It literally was created for spying on people. It's just sad it takes people so long to realize and see the big picture.
Spizike9 said:
I can’t stand Facebook. So glad I dumped them 5 years ago. I wish Apple would dump their enterprise app as well as their regular app to get the point across.
Click to expand...
I hope you don't have whatsapp or insta...
It's time to dump those as well. All your friends are using it? Then be the first one to use something else and convince them. Don't be the sheep that follows the herd.
 
To put it mildly, Facebook is a criminal enterprise and Apple should remove all its apps from the App store for several reasons, the first being breach of terms.

That is what would happen to any other developer. It is pretty obvious.
 
Does anyone have any facts around the enterprise/root certificate? Even with installing such a cert (I have one from my company so I can access company servers), I'd be surprised if that allows the cert owner to eavesdrop on everything on your phone, including private emails and especially encrypted chats.

Does anyone know if this is actually true for enterprise/root certs? If so, I think Apple is granting too much power to ANY cert owner, not just FB.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Back
Top