Over the past three years, Facebook has already paid 13-year-old customers to download a "Facebook Research" application that provides the company with extensive access to their mobile devices, according to a TechCrunch review published Tuesday. To help people with iPhones, Facebook has bypassed the stringent privacy policies that Apple has imposed on its App Store by using a business application program for internal purposes. Apple soon announced that it would revoke Facebook's access to its Developer Enterprise program, allowing it to share its own iOS apps with its own employees. Apple's decision has allegedly wreaked havoc on the social network, leaving workers with no access to the apps they use for their jobs.
Because Facebook treats the fallout of another privacy scandal, it's worth finding out how its research app works ̵
Facebook users, reportedly paying between $ 13 and $ 35 a month for downloading the app through beta test companies like Applause, BetaBound, and uTest. Attendees learned about Snapchat and Instagram ads, according to TechCrunch. Minors had to seek the consent of their parents. Once approved, attendees downloaded the app through their browser – not through the Google Play Store or the Apple App Store.
Apple does not usually allow app developers to browse the App Store, but the Enterprise Program is an exception. That way, businesses can create custom apps that are not designed for public download, such as an iPad app that logs guests in to a corporate office. However, Facebook used this program for a consumer research app that, according to Apple, violates their rules. "Facebook has used its membership to distribute a data-gathering app to consumers, which is a clear violation of their agreement with Apple," a spokesperson said in a statement. "Any developer who uses his company certificates to distribute apps to consumers will revoke his certificates, which we did in this case to protect our users and their data." Facebook did not respond to a comment request.
Facebook They had to bypass Apple's usual guidelines because their research app is particularly invasive. First, users must install a so-called "root certificate". This allows Facebook to see much of your browsing history and other network data, even if it's encrypted. The certificate is like a form-changing passport – so Facebook can pretend that almost everyone wants it. For example, if you visit a clothing retailer on the site, Facebook can use the root certificate to pretend that you are the store and see the pants you wanted to buy. "They allow Facebook to pretend to be anyone who wants to be on the Internet – your device trusts in the certificates they generate," says David Choffnes, a professor and researcher for mobile networks at Northeastern University.
Facebook could not use Facebook's root certificate for any website or application, as some companies, such as banks, protect hackers against manipulation through man-in-the-middle attacks using a technique called "certificate pinning." Essentially, the bank or another company decides that this is not the case Accept each certificate, but its own – it does not accept phonies like Facebook. "This attack does not work for everything, but there are still a lot of apps that are vulnerable because it's not a standard threat model," says Choffnes.
"They allow Facebook to pretend that they are someone they want to be the Internet on – their device trusts their certificates."
David Choffnes, Northeastern University
The App of Facebook also created a private on-demand network connection, which means that all of the participants' traffic was previously routed through their own servers and forwarded to their final destination. This is essentially what all VPNs do. They block traffic by redirecting it so you can hide things like your location, for example, to use Gmail in China, or access streaming shows that are not available at your place of residence. However, VPNs usually can not see your encrypted traffic because they do not have the correct certificate. You can still see your unencrypted traffic, which can be a problem, but the vast majority of Internet traffic today is over encrypted HTTPS connections. However, with the root certificate installed, Facebook could decrypt the browsing history or other network traffic of the users who downloaded research, possibly even the encrypted messages.
In order to use a non-digital analogy, Facebook has not only sent and received every intercepted letter subscriber, it also had the ability to open and read it. All for $ 20 a month!
With its VPN connection and root certificate, Facebook was able to gather extensive data from subscribers, including browsing history, used apps, and how long and sent messages. According to TechCrunch, Facebook also asked some people to scan their Amazon order page, suggesting that the social network may have had an interest in consumers' buying habits. But if Facebook does not reveal what Research has been trying to learn, there's no way to know exactly what the app might have collected.
"Ability against actual things they've done is a much bigger issue," says Mike Murray, the chief security officer of mobile security company Lookout. "Since this all happens in the backend, you can not really say what they did."
In the past, Facebook has used a similar app to learn more about its competitors. In 2013, the social network acquired Israeli VPN maker Onavo, which used it to research popular emerging apps to either copy or buy. So Onavo used an overview of WhatsApp Facebook had acquired later in 2014. Last year, Facebook began promoting Onavo in its iOS app under the banner "Protect". Later, Apple withdrew the app from the App Store, however, violated the new guidelines for data exchange according to The Wall Street Journal .
Facebook is not the only company asking for data about what consumers are doing on their cell phones. Google distributed with Apple's Enterprise program an app called Screenwise Meter, which also acts like a VPN. In return for the tech giant's ability to collect and analyze its network traffic, Google provides gift cards to subscribers to various retailers. It's part of Google's broader consumer behavior where attendees can install tracking software on their router, laptop browser and TV. The difference is that for the Google app no user needs to install a root certificate. This means that the encrypted traffic can not be displayed. However, Google did not abide by the Apple rules and has now disabled the iOS version of Screenwise.
"The Screenwise Meter iOS app should not have run under Apple's Developer Enterprise program – this was a mistake and we apologize," said a Google spokesperson in a statement. "We have this app on iOS This app is completely voluntary and has always been.We have agreed with users about the way we use their data in this app. There is no access to encrypted data in apps and on devices, and users can unsubscribe at any time. "
The Facebook app is particularly invasive, but a number of other companies pay or reward users in exchange for information about what they are doing. They do so online like the data giant Nielsen People voluntarily shut down these apps and programs, although they may not always understand the full amount of access they provide – especially if they are not even 18 d.
Ev If you do not intend to make money by selling your data, Facebook's latest privacy scandal is a good reminder that you are ahead of mobile apps that are not available for download in official app stores , should be careful. It's easy to overlook how much of your information could be gathered, or you can inadvertently install a malicious version of Fortnite . VPNs can be great tools for privacy, but many free sell their data to make money. Before you download anything, especially an app that lets you earn some money, it's always worth taking a look at the risks involved.
More Great WIRED Stories