Over the past three years, Facebook has paid consumers as young as 13 to download a "Facebook Research" application that gives the company broad access to their mobile devices, according to a TechCrunch study released Tuesday. To enable people with iPhones to participate, Facebook emphasized the strict privacy rules that Apple began in the App Store by leveraging a business application program designed for internal business use. Apple soon announced that it was revoking Facebook's access to its Developer Enterprise Program, which also allowed the company to share custom iOS apps with its own employees. Apple's decision is apparently due to chaos on the social network, which allows workers not to access the apps they use for their jobs.
As Facebook deals with the fallout from yet another privacy scandal, it's worth unpacking how its research app worked ̵
Facebook reportedly paid users between $ 13 and $ 35 a month to download the app through beta test companies such as Applause, BetaBound and uTest. Participants found out the possibility via Snapchat and Instagram ads, according to TechCrunch. Minors were required to obtain consent from their parents. Once approved, participants downloaded the app through their browser – not through the Google Play Store or the Apple App Store.
Typically, Apple does not allow app developers to navigate the App Store, but the company's program is an exception. That's what enables companies to create custom apps that aren't meant to be downloaded publicly, like an iPad app to sign guests in a corporate office. But Facebook used this program for a consumer research app that Apple says violates its rules. "Facebook has used their membership to distribute a data collection app to consumers, which is a clear breach of their agreement with Apple," a spokesman said in a statement. "Any developer using their business certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data." Facebook did not respond to a request for comment.
Facebook needs to bypass Apple's usual policies because its Research app is particularly invasive. Firstly, it requires users to install the so-called "root certificate". This allows Facebook to see much of your browsing history and other network data, even if it is encrypted. The certificate is like a changing passport – with that, Facebook can pretend that it is almost what you want. If you visit the website of a clothing retailer, Facebook may, for example. Use the root certificate to pretend to be the store and see the pants you were looking to buy. "You allow Facebook to pretend to be the one they want to be on the Internet. Your device will rely on the certificates they generate," said David Choffnes, a professor and cellular network researcher at the North-West University.
Facebook could not use its root certificate for each website or application, as some companies like banks protect hackers from using them for human-in-mid-attack using a technique called "certificate deposit." The bank or other firm essentially decides that it will not accept any certificate but its own – it does not take phonies as Facebook's. "This attack doesn't work at all, but there are still a lot of apps that are vulnerable because it's not a standard threat model," Choffnes says.
"You allow Facebook to pretend to be on the Internet – your device will rely on the certificates they generate."
David Choffnes, Northeast University
Facebook's app also established a private private connection on request, which means that it led all the participant's traffic through his own servers before passing it on to his final destination. This is essentially what all VPNs do – they spoil traffic by redirecting it so you can store things like your location, maybe using Gmail in China or accessing streaming views that aren't available where you live. But VPNs can typically not see your encrypted traffic as they do not have the right certificate. They can still look at your unencrypted traffic, which can be a problem, but the vast majority of internet traffic today is over encrypted HTTPS connections. But with its root certificate installed, Facebook could decrypt the browsers' history or other network traffic among the people who downloaded Research, possibly even their encrypted messages.
To use a nondigital analogy, Facebook not only intercepted each letter participant sent and received, it also had the ability to open and read them. All for $ 20 a month!
With its VPN connection and root certificate, Facebook had the ability to gather comprehensive data from the participants, including their browsing history, which apps they used and how long they were, and the messages they sent. Facebook also requested some people to view their Amazon order page, according to TechCrunch, suggesting that the social network may have been interested in consumer purchasing habits. But unless Facebook describes what it wanted to learn from research, there is no way to know exactly what the app could have gathered.
"The capacity compared to the actual things they did is a much bigger issue," said Mike Murray, the top security officer at the mobile security firm Lookout. "Because it all happens on the backend, you can't really tell what they were doing."
Previously, Facebook has used a similar app to learn more about its rivals. In 2013, it purchased the social network Onavo, an Israeli VPN maker that it allegedly used to investigate popular new apps to either copy or buy them. It used Onavo to look at WhatsApp, for example, as Facebook later bought in 2014. Last year, Facebook began promoting Onavo in its iOS app under the banner "Protect", but it later took the app from the App Store after Apple said it violated its new data sharing policy according to Wall Street Journal .
Facebook is not the only company that is hungry for data about what consumers are doing on their phones. Google used Apple's business application to distribute an app called Screenwise Meter, which also works as a VPN. In exchange for letting the tech giant collect and analyze their network traffic, Google provides attendees with gift certificates for various retailers. It is part of a wider Google Consumer Behavior program where participants can install tracking software on their router, laptop browser, and TV. The difference is that the Google app doesn't require users to install a root certificate, which means they can't see encrypted traffic. Nevertheless, Google did not comply with Apple's rules and it has now disabled the iOS version of Screenwise.
"The iOS app Screenwise Meter should not have worked under Apple's developer business program – it was a mistake and we apologize," A Google spokesman said in a statement. "We have disabled this app on iOS devices. The app is completely voluntary and has always been. We have been in advance with the users about how we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time. "
Although Facebook's app is particularly invasive, a number of other companies also pay or reward users in exchange for information on what they do online, like the data giant Nielsen. In all cases, these apps and programs voluntarily download, although they may not always understand the full extent of the access they provide – especially if they are not even 18.
But if you do not plan to make money by selling Your data, Facebook's latest privacy scandal is a good reminder to be careful about mobile apps that are not available for download in official app stores. It is easy to overlook how much of your information can be collected or, for example, to install a malicious version of Fortnite . VPNs can be good privacy tools, but many free sell their users' data to make money. Before you download anything, especially an app that promises to make you a little extra money, it is always worth taking a look at the risks involved.
More Great WIRED Stories