
Apple blocks Facebook from running its internal iOS apps - epaga
https://www.theverge.com/2019/1/30/18203551/apple-facebook-blocked-internal-ios-apps
======
jon-wood
This seems entirely legitimate. Facebook were using Apple's support for
enterprise distribution based on having a corporate certificate on your
device, designed to allow distributing internal apps that don't make sense on
the App Store proper, to distribute an app to their users - presumably because
they knew it wouldn't make it through the approval process for doing
distribution using TestFlight, which is what is meant to be used for this sort
of app release.

~~~
rock_hard
Wonder what’s gonna happen to Google and others who distribute their research
apps the same way?

[https://support.google.com/audiencemeasurement/answer/757381...](https://support.google.com/audiencemeasurement/answer/7573812?hl=en&ref_topic=7574346)

~~~
TheKarateKid
Google and others have not been flagrantly caught breaking the rules in the
past and warned directly by Apple, like Facebook has.

~~~
keepper
[https://techcrunch.com/2019/01/30/googles-also-peddling-a-
da...](https://techcrunch.com/2019/01/30/googles-also-peddling-a-data-
collector-through-apples-back-door/)

------
sidewaysloading
I hope Apple will be taking down Google's enterprise distribution certificate
as well, as they are abusing it to let consumers sideload a VPN app for data
gathering:
[https://support.google.com/audiencemeasurement/answer/757381...](https://support.google.com/audiencemeasurement/answer/7573812?hl=en&ref_topic=7574346)

And on top of that all of those from other companies doing the exact same
thing for data gathering.

~~~
DCKing
The problem on the Android side goes deeper, as the "Onavo Protect" app is
still alive and kicking in the Google Play store [1]. The Facebook Research
app here is a shallow repackaging of the iOS version of Onavo Protect, which
was banned from Apple's App Store at least.

It doesn't appear Google is interested in doing anything here. They would
likely have to do something about the thousands of other trojan horse VPN
apps, too. It's just that those are not as transparently owned by a privacy-
invading internet giant (and those apps probably sell your private information
directly to the highest bidder even more eagerly).

[1]:
[https://play.google.com/store/apps/details?id=com.onavo.spac...](https://play.google.com/store/apps/details?id=com.onavo.spaceship)
\- the positive, uninformed reviews of this app give me a feeling like I'm
reading a dystopian novel.

~~~
jetpks
Why would Google ban apps for using Google's own business model?

~~~
checkyoursudo
> Why would Google ban apps for using Google's own business model?

If Google is concerned about competition, they might.

If Google is _more_ concerned about being accused of being anti-competitive,
then they probably would not.

------
zhobbs
My first reaction was: "Wow, FB finally went over the line and is actually an
evil spyware distributor."

Then I started thinking about what this app really is. At $20/month per user,
it's clearly impossible to recoup that money on a per-user basis via better ad
targeting. This app is a market research app with a very small opt-in panel,
just like having a Nielsen box on your TV.

I've never felt like Nielsen's data collection is evil, so it makes me wonder
if my reaction is rational.

Also, looks like Nielsen has a similar program:
[https://computermobilepanel.nielsen.com/](https://computermobilepanel.nielsen.com/)

~~~
joshdover
There's a huge difference between what Nielsen does and what Facebook did.

1) Nielsen doesn't explicitly target children.

2) The data that Nielsen collects is far less intrusive than what FB collects.

3) The consumer is much more likely to be informed about the data Nielsen
collects, where as with FB, it's unlikely that a user (especially a minor)
understands the extent of what FB was collecting.

And yes, Facebook was requiring "parental consent" to collect this data, but
as we all know that is very hard to verify and children have been ticking the
"I'm 13 or older" box for years without their parents knowing.

What Facebook did clearly crossed a line. End of story.

~~~
bunderbunder
I've been sent those packets offering to become a Nielsen family, and looked
through the included description of how it works.

1) Nielsen does explicitly target children, insofar as Nielsen families are
supposed to give them data on the usage habits of every member of the family,
including the kids. That said, the decision of whether or not to become a
Nielsen family remains firmly in the hands of the heads of the family. Perhaps
regardless of the consent of its younger members.

2) They do also now track participating families' Internet usage at large,
like Facebook's app was doing. I don't know whether it relied on a VPN or some
other technology.

3) I think that most people could understand the TV consumption tracking that
used to be Nielsen's bread and butter. But, at least based on the recruitment
materials that were sent to me, I didn't have a clear understanding of the
extent or nature of Internet usage data collection. I assume the story would
be similar for most other users, especially minors.

Based on that, I think that a lot of these comparisons are comparing what
Facebook is doing now to what Nielsen was doing 20 or 30 years ago. Which is
fair comparison to explore, but let's be careful not to absolve the Nielsen of
today from any scrutiny in the process.

~~~
philsnow
They're really pushy about it too. They selected my house and sent a gift
basket and some guy came to the house three times emphasizing the "prestige"
of being a Nielsen house because you're supposedly helping to define what
shows get made. I can't imagine what kind of person would be swayed by that
argument.

~~~
zhobbs
If you are a fan of niche or "underappreciated" programming and want more of
it, I could see that argument being pretty compelling.

~~~
bunderbunder
I could see it being compelling decades ago. Nowadays, though, I'm guessing
fans of niche programming are increasingly cord cutters who don't need Nielsen
to ensure their TV consumption is being tracked.

Totally non-scientific evidence: The only acquaintances I can think of who
still have cable TV subscriptions do so because their TV consumption is
dominated by sports.

~~~
crooked-v
It'll be interesting to see if the Disney streaming offerings upend that,
given how much sports content they have full or majority ownership of.

------
strict9
These continued moves of desperation show a company terrified of losing its
massive data-gathering surveillance machine.

Hoping Apple demonstrates its commitment to privacy by doing more than hurting
internal functionality and speak to the only thing that matters to FB - its
ability to surveil people.

~~~
ASalazarMX
> Hoping Apple demonstrates its commitment to privacy

If Apple had a true commitment to privacy, this wouldn't have happened by
design. Apple just has less commercial interest in gathering data about users
outside its garden.

~~~
_bxg1
And what would you have them do? Prevent the use of VPNs on iPhones? That
would go over well.

------
ViViDboarder
This is exactly what Apple would do to a small indie developer if they found
they did something similar. Glad to hear that they aren’t afraid to do it to a
company like Facebook.

~~~
wheelie_boy
In this case the punishment fit the crime - break terms of enterprise
distribution cert, get enterprise cert pulled.

However, it's very possible that if a smaller company did this that all of
their certs, apps, and dev accounts would get pulled. Facebook does still get
some special treatment.

~~~
rhizome
_Facebook does still get some special treatment_

I am pretty sure others have had their entire accounts nuked for less.

~~~
sillyquiet
well, I mean, of course... Facebook is still the proverbial 500lb gorilla, bad
actor or no. Apple's going to be _very_ slow in nuking a big player that
drives a huge chunk of device usage.

~~~
nxc18
Eh, I think Facebook would lose more money each day that conflict dragged on
until they complied with apple’s policies.

Users can always access Facebook through safari.

~~~
chillacy
Instant antitrust lawsuit if apple did that imo. They already have the good
guy points here, no need to go overboard and become the bully.

~~~
dwighttk
let's do it... I'd love to eat popcorn and watch that play out.

------
jedberg
I think Apple is right here — they’ve detected a breach of term and shut it
down.

But I still think they are wrong for blocking 3rd party apps. I understand
they believe it is for my safety and security, but there needs to be a happy
medium. They should have a way for experts to side load apps.

~~~
fetus8
I think you're missing the point. Experts do have a way to side load apps,
through enterprise certificates and developer certificates. Facebook was
distributing an app to consumers using the enterprise certificates, to collect
data, in somewhat malicious terms, which is a direct policy violation of using
an enterprise certificate.

~~~
mevile
I think jedberg is saying he wants to be able to load whatever software he
wants on a device he owns. Is this really controversial? There's no good pro-
consumer argument for making it impossible. It's OK to make it technically
challenging to prevent malicious software from getting on lay people's
devices, but blocking it full-stop? If I own a device I should be able to put
whatever I want on it. It's mine. Ownership means something. I'm not licensing
my phone's hardware. I own it. I can smash it to pieces if I want, why can't I
change the bits inside?

~~~
threeseed
> good pro-consumer argument

So you support apps like this Research one being made available to teens ?

Because that's what side loading apps gets you. Only except Apple can't stop
it.

~~~
jedberg
> So you support apps like this Research one being made available to teens ?

I 110% support that. Freedom is good. Hopefully their parents are involved
enough in their lives to have explained the dangers of such things to them. Or
perhaps Apple provides a parental control to allow that, but at least it would
be possible for the parent to allow.

------
fixermark
It's nice they have the capacity to do that to protect their consumer
ecosystem (indirectly), however, if I'm making an enterprise ecosystem
decision to build out a fleet of mobile tools for my company, "Apple has and
has used the capacity to shut down the ability of the hardware we purchased to
run software we wrote on that hardware" gives me pause adopting that
ecosystem.

Their purpose was generally-accepted as just in this case, but what if next
time, it's because someone started competing with them and they didn't like
it?

~~~
_bxg1
The license to do that comes with a contract. Facebook broke the terms of that
agreement. If you don't plan on doing the same, you have nothing to worry
about.

~~~
fixermark
That reads an awful lot like the reasoning "You don't have to be concerned
about government privacy or authority overreach if you don't break the law."

------
jamiek88
This is having a real effect internally at Facebook.

In many ways this is a good punishment, disruptive to the bad actor and
minimally disruptive/invasive to the consumer.

>Apple has shut down Facebook’s ability to distribute internal iOS apps, from
early releases of the Facebook app to basic tools like a lunch menu. A person
familiar with the situation tells The Verge that early versions of Facebook,
Instagram, Messenger, and other pre-release “dogfood” (beta) apps have stopped
working, as have other employee apps, like one for transportation

------
9dev
I love the thought of someone at Apple holding a meeting on this and saying
"well, fuck them" while sending out the kill command on the CLI :)

------
mjw1007
While I have no sympathy at all for Facebook, this is a rather chilling
reminder of Apple's ability to decide what you're allowed to run on your own
phone.

~~~
strict9
_Chilling_ isn't my takeaway. It's that Apple take the threat of surreptitious
data gathering seriously and enforces its rules for other companies to that
effect.

~~~
gnomewascool
I think OP's stance is something like:

 _Given_ that Apple has the ability to control what software can and cannot
run on your device (to a large extent), this is a praiseworthy use of this
power, however, on the whole, it would be preferable for Apple not to have
this ability.

~~~
taurath
How would Apple be able to enforce any of its user privacy policies without
having some control? Write the developers a sternly worded letter?

~~~
gnomewascool
Leave it up to the user (or, possibly, their parents if they're under-age) and
give them the tools for maintaining their privacy. For example:

Have appropriate app permissions (which we mostly already have).

State that only apps within the app store are monitored to be privacy-
friendly/"trustworthy", while still allowing a relatively hassle-free way of
installing apps from outside it, similarly to how Android does it (except that
I don't necessarily trust Google to ensure that the apps within the Play Store
are "trustworthy").

Label "untrustworthy" apps (similarly to how F-Droid labels potentially
unwanted features).

Now, since Apple currently has more intrusive control, I want them to use it
for "good", but I don't want them having this power in the first place. As an
analogy, if there were policemen stationed on every corner in the city, I'd
probably want them to prevent suicidal people from jumping off bridges, but
that doesn't mean that I want the policemen to be there.

(For the record, I use Android.)

~~~
taurath
To me it’s a fallacy that even a highly skilled and knowledgeable person could
set their own privacy settings to what they’d actually like. When you have
huge forces arrayed against you, an powerful advocate is necessary.

~~~
gnomewascool
> To me it’s a fallacy that even a highly skilled and knowledgeable person
> could set their own privacy settings to what they’d actually like.

Do you mean on a phone or on any computing device? I'm pretty confident that
I've set the privacy settings to my liking on my GNU/Linux laptop. (Well, with
the giant exception of tracking by websites, but I think that uBlock+uMatrix
on Firefox still deal with that slightly better than Safari's blocking.) You
could argue that in this case Debian (or the like) is my powerful advocate,
but it's a powerful advocate who doesn't take away control of my device.

------
digb
Glad to see rules being enforced on a powerful organization.

------
jamiek88
They have stripped them of the enterprise certificate. This does not affect
installed apps from the app store of course.

But still a clear statement from Apple.

~~~
ceejayoz
It _does_ affect any internal apps Facebook has, though.

~~~
ethbro
Only ones signed on the same certificate.

One expects the reason they reused their primary enterprise cert is so they
wouldn't have to justify their spyware in a new request to Apple...

You build a house out of kerosene jugs, don't go crying when it burns down.

~~~
ceejayoz
The article indicates their lunch menus and staff transportation apps don't
work.

> Apple has shut down Facebook’s ability to distribute internal iOS apps, from
> early releases of the Facebook app to basic tools like a lunch menu. A
> person familiar with the situation tells The Verge that early versions of
> Facebook, Instagram, Messenger, and other pre-release “dogfood” (beta) apps
> have stopped working, as have other employee apps, like one for
> transportation.

I'm totally fine with this house burning down. Just noting that this is
apparently having _very_ significant internal effects, even if the public
Facebook app is fine.

~~~
chooseaname
> I'm totally fine with this house burning down. Just noting that this is
> apparently having very significant internal effects...

And this is ALL on Facebook and NOT Apple. Facebook understood the
consequences when they decided to abuse the Enterprise Cert. They took the
risk and got called on it. This is Facebook's fault. Full stop.

~~~
chillacy
Full stop, no arguments, I’m right? Are you open to discussion or here to
impose your ideas?

------
40acres
I keep going back and forth regarding whether Onvaro is just "opposition
research" or a sign that while Facebook is still as powerful as ever, that
they are running out of product ideas. Of course it could be both, but the use
of Onvaro and 'Facebook research' have a hint of desperation.

------
_bxg1
So this is what Schadenfreude feels like.

~~~
reneberlin
2 of the big five in a dispute over "ethics of technology (ab)use". One
commenter had the thought, that this reaction from Apple is just straight
aligned with the rules they created for every corp - regardless of their
market share or $.

But - i guess there will be negotiations. FB is in a position to make deal.

Bad press in the dev-world - on dev-topics - didn't hold the masses and
average Joe back to continue using FB. And this fail won't, too. Me sounding
fatalistic, i know. But this outrage in the dev-world isn't enough to demask
the beast.

Red lines crossed - and next week the PR department will fix it.

I don't know what needs to happen until the masses of FB-addicts switch to
"open technology" and leave their silos.

~~~
_bxg1
I don't know that Facebook _is_ in a position to make a deal. Apple just won a
mountain of positive press by taking a tough stance on this, and without
having to actually take Facebook's legitimate apps away from their users. I
think Facebook is just going to have to live with the consequences of their
decisions.

------
malloreon
Hopefully this (likely, and unfortunately only momentary) pause in facebook
employees' evil progress will inspire even a few of them to quit and use their
experience for good instead.

------
michaelbuckbee
This isn't going to stop anything. Attribution was already "laundered" through
multiple different agencies and firms who were conducting this research.

They'll just cut a check to another company and proceed from there and/or a
company will just sell them the data on "teen social and mobile usage" and
Facebook will be able to truthfully state that they had no idea the means by
which it was collected.

------
onewhonknocks
It's heartening to see that Apple isn't afraid to rap their knuckles when they
misbehave, despite their being such a force in the tech space.

------
bubblethink
Can somebody explain the technical specifics of what was installed and what is
revoked ? I'm not familiar with with iOS. My assumptions are: The original
app, which was distributed by fb, installed a systemwide CA to MITM traffic
after prompting the user. Is this not available to regular apps distributed on
the store ? This app was not on the app store but distributed out of band. In
order to sideload apps on iOS, they still need to be approved by Apple ? So
Apple maintains a whitelist of developer certificates who can side load apps.
Now, Apple has blacklisted this signing cert. However, this doesn't do
anything to the CA, right ? However, the article says, "Revoking a certificate
not only stops apps from being distributed on iOS, but it also stops apps from
working." How does this work exactly ? Apple triggers all the clients in the
world to freeze/remove these apps ?

~~~
saagarjha
> The original app, which was distributed by fb, installed a systemwide CA to
> MITM traffic after prompting the user.

Correct.

> Is this not available to regular apps distributed on the store ?

No, this is OK; VPN apps do exactly this, but they go through review to make
sure that they are actually VPN apps and not, well, essentially what Facebook
is trying to do here.

> This app was not on the app store but distributed out of band.

Yes.

> In order to sideload apps on iOS, they still need to be approved by Apple ?
> So Apple maintains a whitelist of developer certificates who can side load
> apps.

You haven't mentioned it, but I think it's important to make the distinction
about the two ways to sideload apps on iOS: you can self sign your app
yourself for your device (generally via Xcode), which Apple doesn't really
check at all, or you can be a company, get an enterprise certificate, and use
this to sign apps and distribute them to other iOS devices, as Facebook was
doing here. The catch is that you are supposed to only do this internally
inside your company.

> the article says, "Revoking a certificate not only stops apps from being
> distributed on iOS, but it also stops apps from working." How does this work
> exactly ? Apple triggers all the clients in the world to freeze/remove these
> apps ?

iOS, as of iOS 8.4, periodically checks for revoked certificates and will
refuse to run apps that were signed with something that Apple has blacklisted.

~~~
bubblethink
Thanks. A couple of questions.

>VPN apps do exactly this, but they go through review to make sure that they
are actually VPN apps and not

A vpn app can tunnel network traffic, but it doesn't meddle with system certs
or the CA. It doesn't doesn't get to decrypt TLS connections by default. So
which one did fb do ? Did they just tunnel traffic, or did they MITM TLS
traffic as well ? All the coverage about this story seems to be vague. If it's
just the former, it doesn't seem that egregious since it is explicitly called
out as a data collection app.

>iOS, as of iOS 8.4, periodically checks for revoked certificates and will
refuse to run apps that were signed with something that Apple has blacklisted.

Again, I don't know how the system cert store is handled, but even if you
can't run the app with the blacklisted dev cert, are the modifications that it
made in the past (such as enrolling a CA) also reverted ? In this case, that
may be the desired outcome, but in general, that state is not really a part of
the app.

~~~
saagarjha
> A vpn app can tunnel network traffic, but it doesn't meddle with system
> certs or the CA. It doesn't doesn't get to decrypt TLS connections by
> default. So which one did fb do ? Did they just tunnel traffic, or did they
> MITM TLS traffic as well ?

Sorry, I should have been more clear. Most VPN apps tunnel traffic, but the
Facebook app is going further and inserting its own root certificate, allowing
them to intercept TLS traffic. Some apps, like Charles Proxy, do this, but it
obviously has a legitimate use for this.

> are the modifications that it made in the past (such as enrolling a CA) also
> reverted

I haven't tried it, but I'd like to think that this is the case.

------
pinewurst
Wasn't Zuck trying to actively encourage the use of Android over iOS for
employees anyway? :)

------
vlunkr
It's pretty crazy to think about what Apple is capable of doing now. By
banning an app, they can easily kill a small company, and now they've caused
some huge internal headaches for Facebook. I know Facebook broke their rules
and totally deserved it here, but it's interesting to think about the power
Apple has obtained by tightly controlling their platform.

~~~
jkchu
You do bring up an interesting point. Apple's (expected?) responsibility here
is to protect their users from malicious apps on their devices. It does seem
reasonable for me what they are doing, but of course if they were to lose
sight of their users' best interests, then this could become problematic.
However, I think for issues like that we need to just trust the market to
correct for that. If Apple were to destroy user trust, then I would not doubt
that people would flock to their competitors (Google, Samsung, etc).

------
aboutruby
I see this as a start of a political battle between Apple and Facebook (maybe
Google too with their Screenwise Meter app). First Facebook tries to push the
limit of what Apple would deem acceptable. Then Apple pushes back and show
that it's clearly not acceptable.

Now waiting for Facebook's response.

------
tjpnz
I'm curious as to what Facebook will need to do to get around this assuming
Apple intend to have the certificate revoked indefinitely. Couldn't Facebook
just start signing their apps with an alternative certificate Apple has
already granted them?

------
keepper
This scares me. Not so much the action by apple ( they are flexing their
muscle), but the reactions here. "Great!", is the jist.

It you think an unilateral revoke, and shutdown of a company internal tools,
because of an external issue, without recourse is a good thing... I'm guessing
you have no issues with Crazy EULA's, Monopolies, Corporate abuse,
Corporations doing as they please. ( I can keep going down this slope.. )

Facebook had a program, with willing participants, that broke a third parties
rules. We can argue infinitum about this.

But this is a company, STOPPING your usage of YOUR hardware, AFTER you
purchased it (I'm talking about apple stopping Facebook from distributing
internal tools as well, this is the side effect of this ). Think deep and
clear about this. Are you ok with this?

Secondly, from the company (apple ) that literally turned everyones devices
into wiretaps, globally, and ignored the issue for who knows how long... This
is just.. wow. ( and they continue not to issue a formal reason for this ).

Just.. wow.

~~~
gshulegaard
Yeah, no. Facebook had a cert for distributing internal apps. When one of
their external projects was rejected by the App store, they used the internal
cert to try and distribute it externally (circumventing the App Store). As a
response Apple revoked the certificate that was being used in violation of its
use agreement. There is nothing wrong with that action.

You're introducing a straw man argument by trying to make this about hardware
ownership.

~~~
keepper
With due respect, I think you misunderstand what a straw-man argument is. This
is not a different point. This IS post purchase control of hardware.

Would you be ok with Tesla disabling cars because you were using illegal drugs
in them? Now do you get it? I'm not defending facebook. I'm telling you this
behavior from Apple is truly scary. Apple is not law/moral/societal
enforcement "police".

This is the ONLY way to run internal apps. and it wasn't one cert btw. Google
has a similar "research app", their certs have not been revoked. Maybe because
apple relies on google more? Maybe because they generate revenue from their
search and app placement deals? Hrrm?

My point is simple, arbitrary revokes, without process, are a scary thing.
Specially when they are done POST purchase, and have real tangible effects.

~~~
dlivingston
Exactly this. I think Apple handles it perfectly on macOS: if you want to run
an app downloaded outside of the App Store, you have to explicitly go to
System Preferences -> Security & Privacy -> Allow apps downloaded from:
anywhere. This provides a great mix of consumer protection against malicious
code, and freedom for professionals to download and run anything on their
machines. Disappointed in how they handle apps outside the 'walled garden' for
iOS devices.

~~~
saagarjha
> This provides a great mix of consumer protection against malicious code, and
> freedom for professionals to download and run anything on their machines.

Android has something similar. Remember the Fortnite fiasco?

~~~
dlivingston
I can't say I do, no

~~~
saagarjha
Basically, people were tricked into installing fake Fortnite APKs.

~~~
wayneftw
Yeah, but if you don't err on the side of freedom, then you're basically
supporting Apple-style totalitarianism.

I'm glad that Microsoft's business model won out in the PC wars and I look
forward to a time when Apple loses again in their home field. As a power user,
I can't stand the amount of control has over my own hardware. In my
profession, I can't afford to ignore Apple though. I really hope they lose
their anti-trust case!

------
kerng
With the news yesterday about Facebook's ambitious research project this seems
entirely okay.

------
aarbor989
I was really hoping Apple would yank the certs instead of just the usual
“that’s not allowed, please stop and don’t do again” leniency they usually
give larger companies. This is the only way to make companies listen

------
reneberlin
It starts to become interesting. Popcorn time!

I can't hide a small grin right now.

------
kevintb
Good on Apple.

------
watmough
Excellent. Full marks to Apple on this. Those could be anyone's kids being
taken advantage of.

Apple can't risk their integrity being associated with what Facebook are
pulling.

------
greedo
Break the deal, face the Wheel...

------
unrealchild
i’m curious why the internal tools would fail testflight beta review. i had an
app fail beta review, but was still able to distribute with testflight after
explaining to the reviewers it was for internal use only...

~~~
ceejayoz
Doesn't TestFlight cap the number of users who can use a beta app?

~~~
saagarjha
It does; currently the cap is 10,000 users.

------
mschuster91
If Apple keeps that block, then Facebook may have legal grounds of unfair
business practices and sue Apple for opening up its walled garden, correct?

Certainly would be ironic that the biggest data hoarder in human history ends
up breaking the biggest monopoly in the mobile space.

~~~
zepto
Nothing unfair about the business practices. Facebook intentionally breached
their contract. It’s possible that Apple is the one with the right to sue.

~~~
mschuster91
Why? What Facebook does is legal (but ethically disgusting). Apple has a
monopoly status as gatekeeper for their platform as there are no other
competing iPhone App Stores (contrary to Google's Android).

Now, as Apple is forbidding what Facebook does in their store ToS, Apple may
be prohibiting Facebook from reaching the (not small!) target audience "iPhone
users" for their data collection and thus unfairly hindering Facebook's
business.

I for one would be really happy if the Store ToS were to be torn down in the
courts so that the only reason to block an app rollout is _covert_ spying,
malware or other user deception, but not _open_ data analytics, porn (case in
point, every porn site but especially Tumblr), firearms or using a different
html/js engine.

~~~
saagarjha
Facebook abused their enterprise certificate to bypass the App Store and
distribute their app outside of their company, which is something that is
explicitly disallowed by the agreement that governs such certificates.

~~~
mschuster91
I agree on that one, but still do not like that Apple has the power to require
having an "enterprise certificate" in the first place.

~~~
zepto
Customers choose iPhones fully aware of the fact they Apple regulates apps.
It’s a selling point.

If they don’t like it, there are plenty of Android variants for them to
choose, which differentiate themselves precisely by having this difference.

Apple having this power benefits everyone.

~~~
mschuster91
> If they don’t like it, there are plenty of Android variants for them to
> choose, which differentiate themselves precisely by having this difference.

There is no alternative for iMessage or you may have invested a serious load
of money into the Apple ecosystem (e.g. Apple Music, but also games and other
apps) that moving would amount to losing said money. Especially for those who
got in in the early days with jailbreaking being a routine thing...

Breaking up the stores and especially forcing the various platform providers
to provide synchronization abilities (why can't I sync my Fallout Shelter
vaults for example or why should I need to buy my Plague Inc expansions again)
is desperately needed.

On desktops this works just fine (best showcase being the Adobe apps, and I
believe that at least the MS Office subscriptions are valid across Win and
Mac), so why are the mobile walled gardens still a thing?

~~~
zepto
There are plenty of alternatives for iMessage. WhatsApp for example is bigger
than iMessage.

The rest of your comment is weird - of course there is software that isn’t
cross platform. You seem to want to legislate against that.

------
nvr219
I love watching big tech companies fight, it's like a soap opera

------
Twisell
How come this is already gone from the front page?

------
trevor-e
Does the timing of this have anything to do with the Facetime bug? It feels
like they could have done this a long time ago.

------
GrumpyNl
How bad will this hurt facebook?

~~~
digb
Apparently they can't check what's for lunch, so pretty catastrophic IMO.

~~~
jdavis703
Well besides that they can’t do canary releases of their flagship apps, at
least not without potentially introducing bugs to their users.

~~~
max76
They should still be able to use testflight to distribute IOS beta versions of
Facebook, Messenger, and other apps.

------
Wheaties466
How long before Facebook creates its own phone and OS?

~~~
sschueller
The already tried (kind of):
[https://en.wikipedia.org/wiki/Facebook_Home](https://en.wikipedia.org/wiki/Facebook_Home)

------
Wheaties466
How long until Facebook creates its own phone and OS?

~~~
reggieband
I'm not sure if this is sarcasm or short-term memories. Facebook did try to
create its own phone and it flopped.

------
hn_throwaway_99
To be honest, while there has been loads of bad press against FB over the past
year, I had been leaning toward giving them the benefit of the doubt for the
main following reason: a lot of the bad press had come about because _society
's_ views on privacy had changed (especially with the realization of how
social media could be used to impact a US election), not just Facebook's.
After all, when FB originally released their developer APIs that let
developers gain access to friend data without the friend's explicit
permission, there was barely a peep about that (among security/privacy
researchers, sure, but among the general populace, no). It was only after
Trump got elected that people had an "oh shit" moment about what was really
possible with social media data.

This "data research" app has hardened my views, though: I now believe Facebook
is rotten to the core. After all, as a security researcher pointed out, that
"market research" app was basically just the previously removed Onavo app,
reskinned
([https://twitter.com/chronic/status/1090394419902197761](https://twitter.com/chronic/status/1090394419902197761)).
Facebook knew they got caught, and they tried to workaround by using their
enterprise cert so the app wouldn't go through App Store review. Screw them, I
hope this forces the heavy hand of government regulation on them. They have
proved the cannot manage themselves.

~~~
reificator
> _After all, when FB originally released their developer APIs that let
> developers gain access to friend data without the friend 's explicit
> permission, there was barely a peep about that (among security/privacy
> researchers, sure, but among the general populace, no)_

You're telling me that the average plumber and teacher and waiter didn't
complain when Facebook introduced an interface for developers? No way.

> Bro, did you see the new API that FB put out that totally foobars luser
> privacy?

> Dude, I teach kindergarten, wtf is an API?

Obviously people trying to explain it aren't going to be using that language,
but to outsiders it'll sound that way. And tech nerds aren't known for being
able to explain things to laymen in the first place.

------
satyenr
Remember when people were outraged when Apple decided to give in to the
demands of the Chinese government rather than shut shop. They complained about
Apple not taking the high road. Now people are complaining about Apple taking
the high road? Funnny how times change! Make up your mind people — you can’t
have it both ways! Cheers!

~~~
izacus
Who are those people you're creating a strawman of?

------
andeee23
Serves them right but it's hard to think that the facebook people who were in
charge of the spying app wouldn't have considered this as a possible outcome.
It probably won't affect them that much if they were already prepared for this
to happen.

~~~
hn_throwaway_99
I'm guessing you haven't worked at a large corporation, especially one that
explicitly says they value speed over correctness. My guess is the team
involved in the research app got hold of the enterprise certs, and the teams
on the other apps were unaware.

~~~
andeee23
I wasn't saying that everyone at facebook knew. But if you were one of the
people in charge of the data tracking app, wouldn't you at least know that
apple revoking the licence could be a possibility since you are explicitly
breaching the agreement?

Not even trying to defend them. Just curious how much it will actually affect
facebook.

~~~
wccrawford
You're assuming they knew that was a breach of the agreement... And I doubt
the devs in question have ever read the agreement.

This is a company that had the motto "move fast and break things". They prefer
to "fail forward" and push things live sooner rather than safer.

It doesn't surprise me at all that someone just saw that something was
possible and did it without considering the consequences.

~~~
azinman2
It’s pretty clear when you’re using an enterprise certificate, especially as
an iOS dev. The whole process of building an app makes you very aware of code
signing which is a pain felt by all iOS devs (it’s gotten more automated thru
the years, but still..). I doubt anyone could claim ignorance.

Disclaimer: I work for apple, unrelated to all this.

------
oaiey
For me this disqualified the iOS platform for any software development. When
they can do that with Facebook then the rest of us is just fucked up. With
Android and Windows I currently at least have alternatives for distribution.

~~~
fhood
This is an example of the walled garden working exactly as intended by Apple.
In this example I approve of it, but I agree that if you are developing for
iOS you should be aware of the power Apple can exert on the platform.

~~~
scarface74
I don’t see the problem. As a corporation you sign an agreement to use an
Enterprise certificate to distribute your app internally. The rules are very
clear. FB broke those rules. If you don’t break the terms of the agreement
you’re in the clear.

~~~
oaiey
Imagine Microsoft would shut down every computer who is not licensed properly.
Without any joke, dead people are the result. For that reason you talk first
and then act accordingly. Killing a business partner internal applications is
very drastic behavior.

~~~
scarface74
You mean Windows Activation?

What do you think would happen if you used your Azure, AWS, or GCP account to
knowingly do DDOS attacks?

Or more realistically if you do Pen testing on your own AWS resources without
getting the approval of AWS and your entire organization is dependent on it?
It is explicitly stated in your agreement with AWS that you can’t do that.

