
Apple restores Google’s internal iOS apps after certificate misuse punishment - sidcool
https://techcrunch.com/2019/01/31/apple-ban-google-data-app/
======
coder543
I hope all of the publicity this gets will somehow bring more attention to how
much control Apple exerts over the iOS app ecosystem, and maybe bring change
there.

I think developers should be able to distribute their apps outside of the App
Store if they want, just like on macOS and Android, but Apple is allowed to
have this much control because the iPhone doesn't represent the majority of
the market, so they aren't as subject to monopoly/antitrust stuff.

I can still hope that Apple will open up their mobile platform further, one
day.

~~~
marricks
They seem to be the only body capable (and willing) to enforce privacy
measures, so god I hope your wrong.

~~~
coder543
I don't understand how allowing people the option to download things outside
of the App Store mitigates the iPhone's ability to enforce privacy measures.
It's completely possible to sandbox apps that don't come from the App Store,
and they could even default to only allowing you to install apps from the App
Store, with a secondary security tier of "allow installation of signed apps"
and a third security tier of "allow installation of unsigned apps". If you
_choose_ to install things outside of the App Store, you would be in the
minority. Very, very few people have ever installed anything outside of the
Play Store on Android... with the exception of Fortnite.

This isn't an all-or-nothing proposition... and I'm definitely not suggesting
"iOS should run all code encountered on the internet as root".

~~~
javagram
People could click the checkboxes and give away their privacy, as panelists in
these Google and Facebook research programs did.

Some privacy advocates think that people shouldn’t have the freedom to do
that, because they can make bad choices. They aren’t wrong that a locked down
system like iOS is safer overall for users, as long as you’re ok with Apple
controlling what content you can use.

~~~
simion314
Apple can do what they want, I am happy that now we have a good example to
show people that iOS devices are more like a console and less like a computer.
I would like at least GPL software to be allowed on the store.

~~~
wukerplank
Just to clarify: It's not the GPL that is not allowed on the store, it's the
GPL that forbids putting software licensed under it on the store.

~~~
sascha_sl
Yes; and what a lot of people omit is that if you have the full copyright to a
GPL'd piece of software (because you don't accept contributions without extra
license/assignment), you can publish it to the app store.

Why do you think Wesnoth is on iOS?

~~~
saagarjha
> Yes; and what a lot of people omit is that if you have the full copyright to
> a GPL'd piece of software (because you don't accept contributions without
> extra license/assignment), you can publish it to the app store.

In this case, you're effectively dual-licensing your software.

------
GeekyBear
Apple hands companies who sign up for an enterprise signing certificate the
equivalent of a "get out of walled garden free" card, on the condition that
you not use it to distribute software to people outside your company.

This is made VERY clear when you sign up and Google, at least, made it clear
that using it to distribute software to the public violated the agreement they
had entered into.

>A Google spokesperson told The Verge, “The Screenwise Meter iOS app should
not have operated under Apple’s developer enterprise program — this was a
mistake, and we apologize.

[https://www.theverge.com/2019/1/30/18204064/apple-google-
mon...](https://www.theverge.com/2019/1/30/18204064/apple-google-monitoring-
phone-usage-screenwise-meter)

------
sascha_sl
Apple would never restore services to any individual or small business like
this.

Neither would Google.

This is bullshit and Google should've been forced to deal with their mistake.

~~~
sschueller
Yes, this is why we need to stop supporting companies that run such
centralised walled gardens. This includes google, facebook, youtube,
instagram, whatsapp etc.

~~~
ajvs
Could have just said Google and Facebook since they're run by those two
companies.

~~~
sschueller
Sadly true and most on HN probably know that but even more disturbing is not
everyone knows.

------
bsaul
There really is a blind spot in the app distribution mechanisms. There is no
way to distribute your app only to a selected amount of "customer / partners".

Either you put it on the app store, and everybody can download it, or you use
an enterprise certificate but you're now at the mercy of apple having a
different definition of what you're allowed to do with it and what constitutes
a "member of the company".

~~~
Reason077
There is TestFlight:
[https://developer.apple.com/testflight/](https://developer.apple.com/testflight/)

(With the caveat that builds expire after 90 days)

~~~
bsaul
TestFlight doesn't work for b2b. You can't sell or give a private customer a
software solution then ask them to register for a test to get the iOS
software.

~~~
scarface74
You can distribute it on the App Store and only allow customers to use it via
a login. This is a solved problem and what my previous company use to do.

~~~
bsaul
You can’t do that if you also distribute apps in b2c, because people wouldn’t
understand which app to pick, it would create confusion.

Also, asking for a login at startup without providing a way to register via
the app was against the store tos, iirc.

~~~
scarface74
Again. There is an existence proof. I worked for a company in the healthcare
space that was strictly business to business it was used for secure HIPAA
compliant messages between doctors in a hospital network.

You couldn’t use the app unless you were a doctor who belonged to a clients
network.

As far as not understanding what app to pick. There are plenty of companies
including FB that have apps for the general public and apps for a subset of
users.

~~~
bsaul
That's also a thing with app store : the fact that someone else's app works
one way doesn't mean a lot. Your app could get accepted for months and then
all of the sudden be rejected after an update makes it go through validation
again.

But that was the App store's rules, and people more or less learned to go with
it. What worries me a lot with the recent news is that the lottery could now
affect enterprise certificates as well.

~~~
scarface74
Well, you can’t register from within most of the streaming apps including
DirectvNOW, Sling TV, Netflix, etc.

------
united893
Is Apple now also going to ban Square, Sonos, Amazon, DoorDash, Instacart,
Postmates, Uber, DBS Bank, Handy, Vseen, Shiphero etc for also misusing their
certificates?

If you're going to rule with an iron fist on your walled garden, then you
better do it fairly. If they don't then they stand to be ridiculed and lose
face.

[0] Square [https://squareup.com/help/us/en/article/5492-customer-
displa...](https://squareup.com/help/us/en/article/5492-customer-display)

[1] Amazon [https://www.azflexinfo.com/how-to-download-and-install-
the-a...](https://www.azflexinfo.com/how-to-download-and-install-the-amazon-
flex-app-on-your-phone)

[1.5] Casino 2020
[https://www.igt.com/promotions/casino2020](https://www.igt.com/promotions/casino2020)

[2] Doordash [https://dasherhelp.doordash.com/download-
app/](https://dasherhelp.doordash.com/download-app/)

[3] Sonos
[https://twitter.com/archer_mcgee/status/1091176871734108161](https://twitter.com/archer_mcgee/status/1091176871734108161)

[4] Instacart
[https://shoppers.instacart.com/apps](https://shoppers.instacart.com/apps)

[5] Postmates [https://fleet-help.postmates.com/hc/en-
us/articles/225239347...](https://fleet-help.postmates.com/hc/en-
us/articles/225239347-Download-the-Postmates-Fleet-app-for-iOS)

[6] Uber [https://help.uber.com/partners/article/updating-the-
driver-a...](https://help.uber.com/partners/article/updating-the-driver-
app-?nodeId=3b6e7a5f-41b1-4da5-b14a-6305f66dbdaf)

[8] DBS
[https://www.dbs.com.sg/ibanking/mbanking/demo/index.html?pid...](https://www.dbs.com.sg/ibanking/mbanking/demo/index.html?pid=sg-
dbs-lp-btnappstore-mbanking-app-download-page)

[9] Handy [https://prohelp.handy.com/hc/en-
us/articles/217292127-Downlo...](https://prohelp.handy.com/hc/en-
us/articles/217292127-Download-Handy-Pro-for-iOS)

[10] [https://viseven.com/ar-app](https://viseven.com/ar-app)

[11] ShipHero [https://help.shiphero.com/article/246-trusting-ios-apps-
on-d...](https://help.shiphero.com/article/246-trusting-ios-apps-on-device)

Worth noting the relationship between these services and the "paid
contractors" that use the app is expressly not Employer-Employee. Facebook and
Google paid third party personnel, so is Instacart and Uber.

~~~
dman
Any idea how companies like Nielsen get their stats?

~~~
Uehreka
Last I checked it was way more low tech than you’d expect for a company people
put a lot of stock in. Basically, they put scanners on some people’s TV’s
(with their permission, which is good but introduces a lot of selection bias)
and try to correlate what gets watched with the ages of the people in the
house (while not knowing whos watching what and hoping the TV doesn’t just get
left on for hours with no one watching).

~~~
Jach
They give you a remote with toggle buttons labeled with people's names so you
can tell it who is watching or if multiple people are watching. They also have
software for media pcs but you can hook up an intermediary box if you want.
They also pay you per hooked up tv, and have stats on whether a tv is a
bedroom / kitchen / family room tv.

------
shinymark
Anyone know how the revocation and subsequent reversal works at a nuts and
bolts level? I’m curious.

~~~
saagarjha
Revocation is simple: Apple simply blacklists the certificate, and iOS devices
will refuse to run the app. I'm not sure how reversal works, but it's likely
that either Google was granted a new certificate to sign their apps with or
Apple somehow has a way of "unblacklisting" certificates.

~~~
vortico
Do iPhone users lack the ability to have control over their device by adding
their own certificates?

~~~
geofft
Unjailbroken iOS users, yes - certificates are signed by Apple. That said it's
pretty easy to get a developer certificate for yourself. You just have to a)
own a Mac and b) agree to not use it externally (which is what both Facebook
and Google failed to do), but nothing prevents there being e.g. a community of
people running open-source apps that don't abide by the App Store
restrictions, all compiling them on their own machines.

~~~
eric-hu
> but nothing prevents there being e.g. a community of people running open-
> source apps that don't abide by the App Store restrictions, all compiling
> them on their own machines.

My memory could be wrong on this, but I thought this is exactly what the Flux
app did and Apple sent them a cease and desist for keeping the self compile
and self sign instructions online.

In a sense, you're still right as long as the community stays small enough
that it doesn't get the attention of Apple.

~~~
saagarjha
f.lux is not open source, and Apple told it to stop because it tried to
distribute itself as an opaque binary rather than something that users could
compile themselves.

~~~
eric-hu
I don't think this is accurate. The original announcement HN thread includes
discussion of the source, which is linked and still online on GitHub:
[https://news.ycombinator.com/item?id=10550427](https://news.ycombinator.com/item?id=10550427)

~~~
ekiru
The comment you linked discusses the source of a different project, doesn't
it?

~~~
eric-hu
You're totally right. I remembered that incorrectly and then didn't double
check when I saw the link. My mistake!

------
kyrra
It should be noted that (I don't believe) Google nor Apple aknowledged why the
certificate stopped working. And shortly after it did stop working both Google
and Apple said they were working to get it fixed.

~~~
DannyBee
Right, this is probably techcrunch saving face because they really have no
idea what they are talking about, so have to make it seem like whatever
happened was in line with what they reported.

~~~
saagarjha
Sorry, but why do you think this? The Facebook app was very clearly Onavo
rebranded and signed with an enterprise certificate; I have a copy of the file
if you'd like to check it yourself.

~~~
DannyBee
We're talking about the google one,not the facebook one.

The google one - there is no sourced evidence that apple banned them.

Apple has no reason to include friendly PR and did in the google case.

So did Google. These were coordinated messages clearly.

In the facebook case that did not happen That suggests the are not the same.

I posited a working theory above.

~~~
saagarjha
Facebook and Google engineers have weighed in on Hacker News confirming that
their internal apps stopped working. Again, why do you think TechCrunch
doesn't know what they're talking about here?

~~~
DannyBee
Again, i don't disagree both certs were revoked, and it's been actually
confirmed that apple banned facebook .

That doesn't mean apple intentionally banned Google. This has neither been
confirmed (and is completely and totally unsourced), nor would it make any
sense for them to ban google and then issue friendly press about it.

So I'm suggesting the different reactions from apple and coordinated messaging
differences imply there is something different about this case.

~~~
saagarjha
You think that Apple _accidentally_ revoked Google's certificate?

------
georgewfraser
Why do these bigcos use native apps for internal tools? I would think a
progressive web app would be easier to maintain for multiple platforms and a
good-enough user experience for an internal tool.

~~~
TACIXAT
PWAs aren't fully supported across devices yet. For example, push
notifications don't work in iOS Safari.

~~~
beezischillin
They could just use SMS notifications instead of push notifications. Both
Google and Facebook have the infrastructure for that.

~~~
DeonPenny
But you also would have many more native devs on hand who specialize on that
device

~~~
oblio
This argument is hilarious :)

I'm pretty sure both Google and Facebook have way more webdevs available ;)

~~~
DeonPenny
But not many web devs that specialize in that device or mobile devices in
general. As someone who does both usually the native dev have a much better
advantage if given 2 native devs vs 2 web devs. But thats just my experience.

------
DennisAleynikov
So does this mean Facebook is going to get their restored? Or is this some
kind of slap on the wrist for google but also not really. Very confusing
messaging from Apple here.

~~~
ocdtrekkie
Facebook's was restored a few hours ago.

Apple likely wanted to have a nice long chat with some people at each company
about their behavior. This was probably meant as a warning not to step out of
line again.

~~~
DannyBee
Or one was an accident and the other wasn't?

~~~
DannyBee
Here, let me posit a theory that fits all facts:

Apple banned Facebook. They said nothing in PR about it.

Apple did not in fact ban Google. Instead, one of (Apple, Google) fucked up
removing the screenwise app and accidentally revoked the cert.

Techcrunch being techcrunch, they assumed Apple banned Google and published
that with literally no supporting evidence.

If that was true, why would anyone publish friendly press so quickly? and at
literally the same time?

All data instead suggests if Apple banned Google, both would shut up about it.

Instead, here, both Apple and Google release press statements stating they are
working to fix the issue as soon as possible in a coordinated manner.

Unfortunately, techcrunch/et al can't walk back their statements without
looking like idiots, so they go with "Apple banned google and then google must
have apologized or something" as their narrative, even though that narrative
makes literally no sense given the difference in reactions from Apple.

------
Tsubasachan
Why aren't they using Android phones? You have full control over what apps
your device runs.

~~~
remus
Presumably some of their 85000 employees prefer to use iphones.

------
chooseaname
I said on one of the other posts about this that I wouldn't be surprised if
Apple gave Google a heads up to let them know they have to be consistent.
Especially given that Google basically apologized. Now I'm more convinced.

------
gigatexal
Is Facebook still revoked?

~~~
atdt
No; [https://www.theverge.com/2019/1/31/18206020/apple-
facebook-i...](https://www.theverge.com/2019/1/31/18206020/apple-facebook-
internal-ios-apps-restores-enterprise-certificate)

------
booleandilemma
That was fast.

------
homogenaity
So, random people, non-employees, not QA testing, not bound by real business
relationships, get a copy of some enterprise FAANG apps...

And that certainly is insteresting, and significant, but what circumstances
does this confer to those who get the app? And are normal, ordinary commoners
disadvantaged by this and missing out, or are the enterprise randos getting a
hyperinvasive, buggy, flakey, nightly, crash prone, hazardous, insecure,
warranty voiding piles of garbage?

I guess we can’t know, without seeing what the enterprise distributions look
like, and the point is that there are consumers getting special treatment,
when that’s not the way the game is supposed to be played, violating franchise
rules...

------
kanishkdudeja
Just a ploy to distract away from the FaceTime bug. What was the point of
revoking the certificate if they've restored it the next day?

~~~
saagarjha
It's not clear whether the Google was given a new certificate, or if their old
one was reactivated, but either way it stopped both of them from abusing their
enterprise certificates.

------
debt
The irony is that Apple and Google and most larger tech companies require
every single one of their _own employees_ to install these certs on their
phone.

------
cenal
Devils advocate here but who would still use an iPhone if Google and Facebook
pulled their apps?

It’s all sunshine and rainbows if this ends here but if it escalated it would
be worse for Apple than they think.

~~~
cronix
FB would just make their mobile web version work a bit better to get the users
back. It's not like they would just sit there an allow the users to go away.
They'd do whatever they can to get their golden gooses back, including just
beefing up the website. FB also still works fine on mobile browsers anyway,
without all of the unnecessary access to your filesystem, contacts, text
messages, images/videos, cameras, microphone and everything else on it.

You don't need apps to live in 2019, although a lot of people seem to think
so, or at least act as though they do. Not saying you, just in general. I've
gotten rid of most of my apps and just use the web version of everything. I
can still bank fine, use fb, instagram, youtube and everything else. No
problem. There are very few things on a phone that actually need special
hardware (sensors, etc) that would actually require a native app, and most
apps that do need that kind of access are mostly just gimicky wastes of time.
Most, not all. Who really gives a crap about being able to make your poop
emoji animate by using your face. Sure, it can be fun, but not necessary. It
adds nothing to my life. Is there an app for that? Yes, but there doesn't need
to be an app specifically for that. Most are just glorified websites under a
different interface. yipee.

~~~
fooker
>FB also still works fine on mobile browsers anyway.

No, they artificially prevent it from working well. If you try to read or send
a private message, it forces you to go download Messenger.

~~~
cronix
How am I able to click on "messenger" in the upper left menu of the website
(2nd option down under News Feed) and able to send/view messages on my mac? I
also get an instant email notification if I'm not logged in when someone
messages me so I don't need notification alerts.

~~~
fooker
I was talking about phones, not a mac.

------
ctime
Big fan of Apple products and privacy in general, but this was a really dumb
move and to what end? This effort has done some serious damage to the
relationships of the companies and caused needless divide. Google and Facebook
should have been given a reasonable amount of time to remove the software
and/or been denied renewal of their signing certs.

