Did they not post up front what the deal was? If so where is the real privacy violation.
Is there any room left on that bandwagon you're driving?
[doublepost=1548852457][/doublepost]
Careful what you wish for.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Facebook Paying Teens $20/Month to Install Data Harvesting VPN App on iPhones
- Thread starter MacRumors
- Start date
- Sort by reaction score
Is there any room left on that bandwagon you're driving?
[doublepost=1548852457][/doublepost]
But if it harvest your information and it’s offered through the AppStore by Apple, why doesn’t Apple ban this app from the store if it has privacy in its high regards?
Aren’t other apps not banned for the same reasons? Apple should give you a warning at the Apple store that this app harvests your privacy and that it’s your choice to do so when installing through the AppStore. A sort of parental control for apps.
This moron. Why not sell Facebook something that Google already has? I'm not losing anything by them having my information. I've enjoyed the gift cards every month, and it's not like they didn't tell us right up front what the vpn was for. That's why when it's running, you can't access anything Google/Amazon.
[doublepost=1548855624][/doublepost]
It's not offered through the app store. It's back-loaded to get around Apple. I should think people would be thrilled that this can be done to "get one over on Apple."
Does no one see that they're all the same, Apple/Facebook/Google, and they all have all our data anyway?
Short answer: YES.
In most operating systems certificates are used system wide once they are in the trust store. I assume this is the case for iOS as well.
A root certificate means, that the owner could give you a trusted certificate for any domain, i.e. in the browser you would see the lock indicating the connection is encrypted. However, in order to intercept the traffic between the phone and the target you also need to re-route the traffic. With the traffic going over facebooks VPN and the phone considering all certificates issued by the facebook certificate authority the following will happen:
Phone -> stealth Facebook Reverse Proxy -> actual Website
The phone will think the facebook reverse proxy is the website since the reverse proxy supplies a trusted certificate (issued by facebook) proving the connection is secure. The proxy then decrypts the traffic (everything, including password, usernames,...) connects to the real website and fetches the requested information from the real website and forwards it to the phone.
If that is done by a hacker it's called a man-in-the-middle attack. SSL/TLS has been created to prevent exactly this. Without the root certificate installed, the user would see the typical warning "connection not trusted" or "untrusted certifcate" or similar.
Just to make this very clear: NEVER install a root certificate. If your company asks you to install one it's usually so you can access local servers without a certificate warning, howevery they might also crack open all your internet traffic for security analysis. This is legit for company phones only.
To give an actual example:
Validated by DigiCert. They are a legit Cert Authority. If that instead says "facebook inc" and your traffic went over a VPN, it most likely means facebook knows everything you did here, including your credentials.
@Macrumos TLS 1.3. Nice!
Last edited:
I can't believe people still use FB and Google.
its too late for us the naive 90's internet users who thought the internet was ad supported like free tv channels, but if I ever have a kid these will be the rules:
1)Do not create an account
2)Do not use free apps/service
3)any image/audio/message you send make sure it would be something you would be proud of if it was posted on the front page of a newspaper
its too late for us the naive 90's internet users who thought the internet was ad supported like free tv channels, but if I ever have a kid these will be the rules:
1)Do not create an account
2)Do not use free apps/service
3)any image/audio/message you send make sure it would be something you would be proud of if it was posted on the front page of a newspaper
google has their own mobile phone plattform and google analytics or similar on almost any website. They don't get stuff like credentials, but they do get all the meta data. The below is from macrumors forum taken just now. (Plugin is NoScript)
It doesn't matter. Google has you, no matter what you do.
https://gizmodo.com/i-cut-google-out-of-my-life-it-screwed-up-everything-1830565500
I agree with the first point. But they’d then have to sort which social apps are “nefarious” and which aren’t. The easy ones, like FB, are easy, but there’s a lot of gray here.
And even FB isn’t doing this enterprise certificate workaround garbage to everyone, just a select subset of users. So Apple, on those grounds alone, couldn’t be justified to ban the entire app for all users. Removing the app could be [deservedly] punitive for FB, but it would hurt themselves too, which goes back to your first point.
AngerDanger never disappoints.Mark, Mark, Mark, Mark, Mark. Do you even know what the "P" in VPN stands for? Private. You've made a data-harvesting virtual private network. That doesn't compute!
Pretty sure this goes against the Terms of Service of Apple's Enterprise Developer accounts: These accounts are intended to be used within organizations by and among its employees, contractors, etc, but not the general public. Is Facebook calling these victims "employees" because it paid them $20 for their "service?" They're definitely in violation of SOME contract law here.
I guess I just don’t understand how anyone would be willing to feed Facebook literally all their most intimate data for $20/month. They are one of the shadiest, most untrustworthy companies on earth. I wouldn’t do it for $100/month. Zuckerberg does not deserve my data. Apple and Facebook aren’t the same at all. Apple doesn’t sell my data to anyone. Apple doesn’t use my data to try to influence me. Google is also bad and I avoid using it as much as possible.
Last edited:
Intelligent people who value their personal data at less than $20/month do. Intelligent people who value their data at more than $20/month don't. Presumptuous, are we?
I used that app for a few months - I reasoned that facebook and others already have so much access to my info, I might as well be compensated for it. If I recall correctly, the terms said that the app allowed them to monitor "browser and social media activity."
The app sucked - the VPN randomly changed locations, making location services useless. My data speed was awful, and it sucked the battery as well as chewed through data when not on wi-fi. So I deleted it.
I'm also the type of person who allows a survey company to automatically view my Amazon purchase history every month for a few bucks though, so *shrug*
The app sucked - the VPN randomly changed locations, making location services useless. My data speed was awful, and it sucked the battery as well as chewed through data when not on wi-fi. So I deleted it.
I'm also the type of person who allows a survey company to automatically view my Amazon purchase history every month for a few bucks though, so *shrug*
There's some very good detailed information in This TechCrunch article being distributed by Huffington Post today:
https://www.huffingtonpost.com/entr...hat-spies-on-them_us_5c518441e4b0f43e410cc2ff
(Sorry, could not easily find the original TechCrunch article)
And this, news that Apple has now banned the app.
https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/
"Apple tells TechCrunch that yesterday evening it revoked the Enterprise Certificate that allows Facebook to distribute the Research app without going through the App Store."
It is unclear from the above just WHOSE Enterprise Certificate was revoked. It's unclear if they were using a Facebook Enterprise certificate, or one (or all?) of the 3 "beta testing" companies that they used.
There are likely more shoes to drop!
It seems Facebook did not directly use their own Enterprise program, but distributed it through three sketchy "beta testing" companies, BetaBound, uTest, and Applause. Frankly, these all seem to be in flagrant violation of the Enterprise Program, and I expect them to go down in flames.
I've looked into similar "beta testing" programs in the past, and determined they were not legitimate, and not a good idea to risk my developer program membership to use them. I can't imagine that Apple was not aware of them, and so it seems they've allowed them till now to fly under the radar.
TestFlight was a similar type of operation, until Apple bought that company a few years ago. (different in some details, as all 3 of these seem to pay "testers" to find bugs. I guess companies pay them to get beta testers to exercise their apps).
As far as these 3 companies, I did some basic searches, and IMO they are pretty-much scams for the "testers". It looks like few of them actually make any substantial money. And, of course, the Facebook use of this doesn't even conform to the intent of these company's programs. (Pay people to find bugs.)
Besides these 3 companies - which I had not heard of before, there are additional companies doing similar things to allow companies to skirt the App Store and Enterprise Program rules to side-load apps without Apple approval and without having to sign and adhere to an Enterprise Program agreement.
I don't think that Apple has any choice now but to crack down on that entire industry.
Apple has its own program - Testflight - that allows companies to conduct beta testing. I use it myself, for its intended purpose. Apple has recent increased the total number of beta testers allowed from 1,000 to 10,000, so there is little excuse for going outside of the Testflight testing environment.
Oh. There is one thing. Apple does review betas, just as they review App Store releases. Not as rigorously, but there is a review, and at least some automated testing on every release.
(Contrast that with Google Play Store, where I am convinced that there is normally no review whatsoever beyond PERHAPS some automated test, after initial acceptance. That is, updates don't appear to get any human review - they go online way too fast for that to be possible. This is just my observation as a developer. YMMV.)
https://www.huffingtonpost.com/entr...hat-spies-on-them_us_5c518441e4b0f43e410cc2ff
(Sorry, could not easily find the original TechCrunch article)
And this, news that Apple has now banned the app.
https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/
"Apple tells TechCrunch that yesterday evening it revoked the Enterprise Certificate that allows Facebook to distribute the Research app without going through the App Store."
It is unclear from the above just WHOSE Enterprise Certificate was revoked. It's unclear if they were using a Facebook Enterprise certificate, or one (or all?) of the 3 "beta testing" companies that they used.
There are likely more shoes to drop!
It seems Facebook did not directly use their own Enterprise program, but distributed it through three sketchy "beta testing" companies, BetaBound, uTest, and Applause. Frankly, these all seem to be in flagrant violation of the Enterprise Program, and I expect them to go down in flames.
I've looked into similar "beta testing" programs in the past, and determined they were not legitimate, and not a good idea to risk my developer program membership to use them. I can't imagine that Apple was not aware of them, and so it seems they've allowed them till now to fly under the radar.
TestFlight was a similar type of operation, until Apple bought that company a few years ago. (different in some details, as all 3 of these seem to pay "testers" to find bugs. I guess companies pay them to get beta testers to exercise their apps).
As far as these 3 companies, I did some basic searches, and IMO they are pretty-much scams for the "testers". It looks like few of them actually make any substantial money. And, of course, the Facebook use of this doesn't even conform to the intent of these company's programs. (Pay people to find bugs.)
Besides these 3 companies - which I had not heard of before, there are additional companies doing similar things to allow companies to skirt the App Store and Enterprise Program rules to side-load apps without Apple approval and without having to sign and adhere to an Enterprise Program agreement.
I don't think that Apple has any choice now but to crack down on that entire industry.
Apple has its own program - Testflight - that allows companies to conduct beta testing. I use it myself, for its intended purpose. Apple has recent increased the total number of beta testers allowed from 1,000 to 10,000, so there is little excuse for going outside of the Testflight testing environment.
Oh. There is one thing. Apple does review betas, just as they review App Store releases. Not as rigorously, but there is a review, and at least some automated testing on every release.
(Contrast that with Google Play Store, where I am convinced that there is normally no review whatsoever beyond PERHAPS some automated test, after initial acceptance. That is, updates don't appear to get any human review - they go online way too fast for that to be possible. This is just my observation as a developer. YMMV.)
My understanding is that FB tracks and maintains profiles on people who do not even use their services. Is that not the case?
Yes. I presume only an idiot would use Facebook after everything we learned in 2018. Only an even bigger idiot would give Facebook root access to their device. Not only are you feeding Facebook info about yourself but also anyone and everyone you communicate with on that device is now having their side of all those conversations gobbled up without their permission.
Well, it's not really "root access to your device", as others have also pointed out.
There are a couple of different things going on here.
- They used an Enterprise Certificate to sign the app. This permits distribution outside of the App Store or Testflight, and the app is not subject to Apple review. There are some technical capabilities that are banned by apple but are not impossible and would normally be caught by Apple's automated testing. For example use of private frameworks. Access to real device UDID. Access to device interface MAC addresses. There is nothing technically stopping any app from access to these things, but Apple checks for them as part of automated technical review for App Store and Testflight apps.
But this is hardly "root access".
- The app installs a VPN provider. The VPN software on the device is able to see almost ALL traffic from/to the device UNENCRYPTED. The one exception would be apps that do their own end-to-end encryption and do not rely on Apple networking framework to do SSL encryption. For example Signal would be one app that would not be subject to snooping on content. Such apps are not so common, they would have to incorporate their own copy of, for example, OpenSSL. And they also would be possibly subject to some increased export restrictions.
Note that there are VPN providers available in the App Store. But they are declared to be VPN providers, and are vetted VERY carefully.
When you use a VPN on an iOS device - whether with a VPN shim installed, or with iOS native VPN support - you have to install a "root certificate" for the domain you are connecting to. This is not as scary as it sounds. It's actually the "public key" for the endpoint the device is connecting to. It insures that the device is talking to the endpoint it is supposed to be talking to. It's just a scary-sounding use of the word "root", that has nothing to do with "rooting" a device, or providing "root access" to the operating system.
None of this to imply that Facebook is not evil!
Except an "old iPhone", that's new enough to be able to run this, is worth at least $180 (if not more), so you're essentially validating FB's decision to run a program like this, even if providing dud data. And you're doing it essentially for no profit…
I guess that "moron" is not as "smart" as they thought… which makes sense!
Nobody can say Facebook doesn‘t value private data. The value is 20$.
[doublepost=1548878656][/doublepost]
Not anymore since iOS 11.
[doublepost=1548878656][/doublepost]
Not anymore since iOS 11.