Hacker News new | comments | ask | show | jobs | submit login
Apple blocks Facebook from running its internal iOS apps (theverge.com)
735 points by epaga 18 days ago | hide | past | web | favorite | 310 comments



This seems entirely legitimate. Facebook were using Apple's support for enterprise distribution based on having a corporate certificate on your device, designed to allow distributing internal apps that don't make sense on the App Store proper, to distribute an app to their users - presumably because they knew it wouldn't make it through the approval process for doing distribution using TestFlight, which is what is meant to be used for this sort of app release.


Yes, this is the optimal measured response from Apple. They're treating Facebook the way they'd treat any other company that did this.

It's also a step up from the warning they gave with the whole Onovo thing. Strike two...


To be clear, this app that was just removed WAS just a reskinned Onavo app - same code and "ONV" class prefixes, etc.: https://twitter.com/chronic/status/1090394419902197761

Facebook got caught, and then they tried to use their enterprise cert to get around App Store review because they knew it would get rejected.


I give it a week until Facebook starts using some sort of exploit to get Onavo onto iPhones. Probably guessing it will be a Safari exploit based on past history. That's when the real fireworks will begin.


Please elaborate on this.


Business Insider has a leaked memo and internal discussions and even many Facebook employees agree this was stupid and shooting themselves in their foot. I quote “When will we learn?”



Pathetic.


It's really not how Apple would treat any other company. Any other company would get banned from the app store permanently.

I do agree that this is measured. The question is how long, if ever, before Apple grants them a new cert. If Apple lets them back into the Enterprise Developer Program, this is a few days of inconvenience. If they keep them out, this effectively kills their apps on the iOS app store because FB can't effectively work on the apps internally.


I imagine this is how apple would treat any company with a widely used app. Whether it was Snapchat, dropbox or Candy Crush Saga. I doubt they'll consider such a misstep reason enough to inconvenience or even harm millions of their users.


It does not preclude test flight or just installing it through a developer machine. The vast majority of app developers don't use an enterprise account to test beta releases.


Facebook's development process for iOS (and android) is dependent on having most/all employees dogfood beta releases and report bugs that can be ignored. This breaks that pretty badly, and now users in the wild will have to report bugs before they can be ignored.


Alternatively, Facebook engineering could just, you know, test their app. Instead of moving fast and breaking things.


I do hope they'll let them suffer for a few days.


I hope they'll drag it on indefinitely, and maybe the two will have a giant war of sorts. This is one of those cases where I don't like either side, so I'm happy to see them having a destructive fight.


I hope they get an automated reply where they can apply for a new certificate and await approval. Then being put in some queue for a month.


Wonder what’s gonna happen to Google and others who distribute their research apps the same way?

https://support.google.com/audiencemeasurement/answer/757381...


Google and others have not been flagrantly caught breaking the rules in the past and warned directly by Apple, like Facebook has.



I’m guessing Apple has more to lose getting in to a battle with Google. There’s a fair degree of co-dependency between the two organisations.


How so? A world without Google would have shitty search initially but would exist perfectly fine. iOS/Windows, Safari/Firefox, Apple Maps, iCloud Mail/Outlook, Vimeo already exist and soon a decent search engine would surface.


There's an interesting article on Gizmodo (so please take it with a grain of salt) about trying to cut Google out of your life - long story short, it's surprisingly hard and some things you wouldn't expect will break.

https://gizmodo.com/i-cut-google-out-of-my-life-it-screwed-u...


YMMV. I mostly moved off Google for my own usage last year and deleted my paid Google Apps account (let’s ignore work usage as that’s out of my hands). Remaining services I use are YouTube (no competitor), books.google.com (occasionally, when Hathi is proving too slow) and groups.google.com (the project I mostly contribute to organises there). Of those three I could dump books.google.com without too much effort and I only interface with groups.google.com via email; moving to another provider would be totally possible if needed.


True enough. I found the things mentioned in the article interesting because you also lose things like Google Web Fonts and a number of services which depend on the Google Maps APIs for mapping.

Unfortunately, I won't be able to completely disconnect because I've got a number of friends who share photos through Google Photos (and I would like to keep access to those), a number of friends who only use Hangouts (not sure if that's better or worse than FB Messenger), and YouTube doesn't have any real competitors.


it's hard to compete with YouTube's network for content discovery, but if you're uploading/distributing video Vimeo remains a great primary service.


One of my largest problems with ridding Google from my life has been dealing with their Captchas.


Well, for one, Google pays Apple a ridiculous $12 billion a year for having Google search by default in Safari:

http://fortune.com/2018/09/29/google-apple-safari-search-eng...

I'm guessing Tim Cook is not ready to give that up in the name of "fighting for privacy." Otherwise he'd have already made DuckDuckGo the default search engine.

There's no doubt in my mind Steve Jobs would've kicked Google out, but Tim Cook is much more of a bean counter to make such a move.


Also a significant proportion of searches are being addressed by Apple's Search service.

And Apple has shown with Maps that they are capable of building a decent competitor to Google.


Fun fact: Google searches from mobile Safari are profit-shared with Apple.


Apple runs certain aspects of iCloud on the Google Cloud Platform so there are likely to be fairly hefty contracts at stake...

Search for ‘Google Cloud’ in the following:

https://www.apple.com/business/docs/iOS_Security_Guide.pdf


However penalizing/threatening a customer of Google Cloud for something totaly unrelated would open the road to an antitrust case as huge as Google leverage on current IT sector.

PS: On the otherside migrating all services out of Google Cloud would be a technical challenge (their needs are huge) but at the end of the day a minor annoyance for Apple.


Don't forget about Android OS and the Pixel phones.



I’m guessing this will stop, unless Google has a special agreement in place.


"Sorry, this page can't be found."

But the page is still available in cache https://webcache.googleusercontent.com/search?q=cache:RqQCNF...

The page asks users to trust Google Inc.


seems like the page have been taken down?


It seems Apple have been trying to occupy the moral high ground on privacy for quite a long time now. It's relatively easy for them to differentiate themselves from the other big tech companies, because Apple's products cost so much that, for once, you are not the product.

Unless FB and Big G start charging for their services, I don't see how they can change their behaviour.


It seems Apple have been trying to occupy the moral high ground on privacy for quite a long time now

It's easy to occupy the high ground when everyone else is in the gutter.


That is a very good point.


good one.


Even if Facebook starts to charge for their service I wouldn't touch any of their properties with a ten foot pole.

I assume that they gladly take my cash to then nevertheless sell me out to the highest bidder.

They knowingly stole money from kids (via their parents credit cards) and did so knowingly and for years. They did just about everything possible to keep the stolen loot, including trying to automate their disputes on charge backs. [1]

This carcinogenic pustule of a company is unredeemable and is unable to learn anything. Money and growth is the only goal to be achieved. Fuck all consequences!

Why would I ever trust such a company with money and believe they're not lying to my face.

[1] https://www.revealnews.org/article/facebook-knowingly-duped-...


Very true, I think that even if Fb and G were to start charging it wouldn't work since people are so used to them being free


Would you even believe them? Haha


I wonder if the $20 payment was so that Facebook could plausibly claim they _were_ distributing internal apps to employees?

I'm sure "employees" is defined loosely enough in the agreement to include "contractors", and the bar there is pretty low, getting paid pretty much makes you a contractor.


I'd bet if you look at their internal FIN system these "employees" weren't listed as 1099 vendors.


Minors generally not legally able to be held to a contract.


For someone who isn't as familiar with the mobile development can you say how do beta testing services like Applause, BetaBound and uTest differ from TestFlight? Is it just that latter are verified to be compliant with the App Store's TOS?


Yes. Other testing services which rely on enterprise distribution are technically against the rules, although Apple usually turns a blind eye to them unless they're doing something actively malicious.


So are Applause, BetaBound and uTest be considered enterprise distribution then?


I have not used these services, but it's very likely that they are since that's basically how all beta testing outside of TestFlight works.


You can use Ad Hoc deployments, which is what I used to do on TestFlight before it got acquired by Apple.


This requires registering UDIDs, right?


Yes, it does. For testing, in smaller business, this is fine however as you can register up to 100 devices. Enterprise certificates were much easier to use in big enterprise thought even if they weren't really "meant" for that purpose.


I hope Apple will be taking down Google's enterprise distribution certificate as well, as they are abusing it to let consumers sideload a VPN app for data gathering: https://support.google.com/audiencemeasurement/answer/757381...

And on top of that all of those from other companies doing the exact same thing for data gathering.


The problem on the Android side goes deeper, as the "Onavo Protect" app is still alive and kicking in the Google Play store [1]. The Facebook Research app here is a shallow repackaging of the iOS version of Onavo Protect, which was banned from Apple's App Store at least.

It doesn't appear Google is interested in doing anything here. They would likely have to do something about the thousands of other trojan horse VPN apps, too. It's just that those are not as transparently owned by a privacy-invading internet giant (and those apps probably sell your private information directly to the highest bidder even more eagerly).

[1]: https://play.google.com/store/apps/details?id=com.onavo.spac... - the positive, uninformed reviews of this app give me a feeling like I'm reading a dystopian novel.


Why would Google ban apps for using Google's own business model?


> Why would Google ban apps for using Google's own business model?

If Google is concerned about competition, they might.

If Google is more concerned about being accused of being anti-competitive, then they probably would not.


Yea, how many other companies abuse the Enterprise program like this? Should we really trust Apple to enforce their TOS when they struggle to keep up with the usage of their own platform? If there’s informed consent, Apple isn’t really protecting users.

Those teens in the FB case tho.


Not sure what you want Apple to do here.

They have no visibility into what companies are doing with enterprise certificates. The whole point of which was to allow internal apps to be built that Apple should have no knowledge of.

They did the best they could which is to revoke the certificate once they learnt of egregious behaviour.


Great find! I hope Techcrunch and others will write similar articles about this app.


They have! https://techcrunch.com/2019/01/30/googles-also-peddling-a-da...

Looks like Google even sends people routers to intercept ALL their traffic, and has special devices to constantly listen to their TV to analyze what people are watching. Yuck.


Nice! Published one hour after my comment and it's their top front page article.


My first reaction was: "Wow, FB finally went over the line and is actually an evil spyware distributor."

Then I started thinking about what this app really is. At $20/month per user, it's clearly impossible to recoup that money on a per-user basis via better ad targeting. This app is a market research app with a very small opt-in panel, just like having a Nielsen box on your TV.

I've never felt like Nielsen's data collection is evil, so it makes me wonder if my reaction is rational.

Also, looks like Nielsen has a similar program: https://computermobilepanel.nielsen.com/


There's a huge difference between what Nielsen does and what Facebook did.

1) Nielsen doesn't explicitly target children.

2) The data that Nielsen collects is far less intrusive than what FB collects.

3) The consumer is much more likely to be informed about the data Nielsen collects, where as with FB, it's unlikely that a user (especially a minor) understands the extent of what FB was collecting.

And yes, Facebook was requiring "parental consent" to collect this data, but as we all know that is very hard to verify and children have been ticking the "I'm 13 or older" box for years without their parents knowing.

What Facebook did clearly crossed a line. End of story.


I've been sent those packets offering to become a Nielsen family, and looked through the included description of how it works.

1) Nielsen does explicitly target children, insofar as Nielsen families are supposed to give them data on the usage habits of every member of the family, including the kids. That said, the decision of whether or not to become a Nielsen family remains firmly in the hands of the heads of the family. Perhaps regardless of the consent of its younger members.

2) They do also now track participating families' Internet usage at large, like Facebook's app was doing. I don't know whether it relied on a VPN or some other technology.

3) I think that most people could understand the TV consumption tracking that used to be Nielsen's bread and butter. But, at least based on the recruitment materials that were sent to me, I didn't have a clear understanding of the extent or nature of Internet usage data collection. I assume the story would be similar for most other users, especially minors.

Based on that, I think that a lot of these comparisons are comparing what Facebook is doing now to what Nielsen was doing 20 or 30 years ago. Which is fair comparison to explore, but let's be careful not to absolve the Nielsen of today from any scrutiny in the process.


They're really pushy about it too. They selected my house and sent a gift basket and some guy came to the house three times emphasizing the "prestige" of being a Nielsen house because you're supposedly helping to define what shows get made. I can't imagine what kind of person would be swayed by that argument.


My uncle used to tell a story about taking a studio tour in the 1960s where part of the tour was being a test audience for Lost in Space (he was a kid at the time). The whole family had a pad with a dial and you could turn it one way to display approval and the other to give a thumbs down.

He hated the show and tried to indicate as much throughout the showing. But when the lights came back on he realized that he'd had the pad backwards the whole time.

He never forgave himself for that one time he "got Lost in Space green-lit".


If you are a fan of niche or "underappreciated" programming and want more of it, I could see that argument being pretty compelling.


I could see it being compelling decades ago. Nowadays, though, I'm guessing fans of niche programming are increasingly cord cutters who don't need Nielsen to ensure their TV consumption is being tracked.

Totally non-scientific evidence: The only acquaintances I can think of who still have cable TV subscriptions do so because their TV consumption is dominated by sports.


It'll be interesting to see if the Disney streaming offerings upend that, given how much sports content they have full or majority ownership of.


Good information, and based on that, I agree, Nielsen is doing similarly bad things, one distinction being that a child is unlikely to sign up for these services without their parents' knowledge.

I'm not here to defend Neilsen at all, but I do think Facebook has a bit more responsibility to make the right decisions here given their ubiquity, reach, AND the invasiveness of how a root certificate allows them access to encrypted traffic and even text messages (really?).



>Nielsen doesn't explicitly target children.

I'm not sure what you mean by this because Nielsen absolutely targets children. The parents are explicitly consenting to having the box in the home but the box is constantly monitoring what is on the TV and invasively forces you tell it every 30 minutes or so exactly who is watching the screen.

My family was a Nielsen family for a time when I was in college and my 8-12 year old brothers were living at home.


The key words being

> The parents are explicitly consenting

Nielsen asks the parents to consent to monitoring. The parents are adults, and adults are in a position to be able to give such consent. Parents routinely make decisions for their children that the children are not in a position to make on their own. This ensures that children, who do not have the education and life experience to be able to make such decisions on their own, have their interests looked out for by responsible adults.

Facebook skipped the parents and pitched their app to the kids directly.


There is no invasion like what you're mentioning in the (recently) current systems. I was a Nielsen household. They use audio tracking via HDMI/optical audio to "see" what's being watched, and they can of course tell what TV it's coming from, but that's the extent of it.


I wonder what the actual effects of saying “Period! End of Story!” are in a discussion forum.

Obvioisly someone is still free to respond, and then that won’t be the end of the discussion. So what’s the point of saying it? It seems to escalate the stakes basically: “if you disagree then you are a LABEL!”


I understand your sentiment here, but the broader point here is that we as industry have been historically timid about taking hardline ethical stances. In my opinion, Facebook's behavior here is clearly wrong, and I'm going to state it as so.

By taking a hardline stance, I'm opening the opportunity to prove me wrong. This is an open forum and I'm not calling anyone names for disagreeing with me. In fact if you do have a valid counterargument, PLEASE DO disagree. I'm more concerned about getting to the truth than being right.

But if there isn't a counterargument, then I want my comment to stand out as a stark reminder that we should not accept or be complicit to these types of practices going forward. If we don't take these types of stances, I do not think we will change the culture in tech.


Agreed. If the original commenter cannot make a cohesive and convincing argument as to why what happened is wrong, then they ought not to say anything. If they believe their argument is convincing, then these kinds of statements are unnecessary


NEXT!


HN isn't the place for these kinds of comments.


I know, I just can't help lowering the bar for a cheap shot sometimes.


Yeah I mean it's mostly interesting to see that at $0/mo Onavo was a fantastic deal for FB and they are willing to pay users at least $20/mo for the same quality data. I wonder what price this instrumentation is worth to them if $20/mo and PR risk was okay -- like, what is the upper bound on good quality iOS Onavo data?

Seemed like the WSJ described this tool pretty well [ https://www.wsj.com/articles/facebooks-onavo-gives-social-me... ] -- reportedly Facebook employees can just plug in "Snapchat" into the Onavo metrics and see "we estimate [XX] MAU, declining [Y%] year over year and [Z%] month over month", and they can use this info to short/long SNAP or to prioritize building/buying a competitor. Such a great idea.

I am confused that the Google product which also says it can collect usage data from 13-17 year olds [ https://support.google.com/audiencemeasurement/answer/756613... , https://support.google.com/audiencemeasurement/answer/757381... ] is still allowed by Apple. Maybe Facebook is just learning for the first time that Apple's control over what applications can be installed is arbitrary and capricious at best?

I do feel bad for whatever PM in Facebook (on Project Atlas or whatever) has been watching this news for the past few days and saying "whoa, this seems disproportionately unfair, given that Google and others do the same thing on iOS". I'm just wildly speculating here but that project team is probably getting a firsthand lesson in the "New York Times test" rule: if what you are doing were published on the front page of the NYT, would you regret it? (This is a particularly rough area because I think a lot of current employees probably feel like the NYT and peers have some kind of vendetta against them and probably don't really understand the hostility.)


>I wonder what price this instrumentation is worth to them if $20/mo and PR risk was okay

Legitimate market research focus groups pay $100-200/hr, or more, to regular people for verbal approximations of their own behavior.


Did you bother reading Nielsen's contract?

> Be 18 years of age or older and capable of entering into a binding contract. You expressly declare that you are the owner of or lawfully exercise control over any Device onto which you authorize the downloading of the Software.

Facebook's spyware was pushed to teenagers as young as 13. But yeah, same thing.


Fair point!


>This app is a market research app with a very small opt-in panel, just like having a Nielsen box on your TV.

A television not just like your iPhone. This is in no way similar.

With regard to Nielsen's mobile program they are playing by Apple's rules on privacy and FB blatantly circumvented them.


For kids, a television is a device grandpa uses

> "Children watch an average of 2.8 hours of video content each day – the majority use devices other than a traditional television set to watch this. "

http://www.childwise.co.uk/bits--blogs/children-are-spending...


> I've never felt like Nielsen's data collection is evil

They've definitely crossed the line in the past.

For example around 2005 they were stealth-installing NetRatings spyware bundled with file-sharing apps.

(And similarly with comScore. It's probably best not to use these organisations as examples of good practice.)


These continued moves of desperation show a company terrified of losing its massive data-gathering surveillance machine.

Hoping Apple demonstrates its commitment to privacy by doing more than hurting internal functionality and speak to the only thing that matters to FB - its ability to surveil people.


Investors and governments pumped billions into FB in the last 5-10 years seemingly under the impression that it was too big to fail. One can definitely see the panic starting to trickle in now that it's clear the platform's days are numbered. I wonder if they will be able to shift to a less predatory/ad-based business model before it's too late or go all-out with the data harvesting.. It'll be interesting to watch it play out either way!


> now that it's clear the platform's days are numbered.

How is that "clear"? It's true that FB has received a lot of bad press and push back in recent times, but none of that changes the fact that FB is pretty much still the 10.000-pound Gorilla in the room with no real alternatives for a lot of people.

Don't get me wrong here: I don't like it either, I just don't see their days as being "numbered", but FB is too entrenched in a whole lot of sectors for it to simply vanish without some kind of competitor actually gobbling everything up they do right now.

Too many people forget that at this point FB isn't just "social media", for a whole lot of small and medium businesses FB has become their sole online presence, due to ease of use and reach.


They are definitely too entrenched with partners, but for the users themselves to mass-migrate all it takes is a big enough user-facing tactical error.


> Hoping Apple demonstrates its commitment to privacy

If Apple had a true commitment to privacy, this wouldn't have happened by design. Apple just has less commercial interest in gathering data about users outside its garden.


And what would you have them do? Prevent the use of VPNs on iPhones? That would go over well.


> this wouldn't have happened by design

What design changes would have prohibited this from happening? The only changes I can think of would make it more difficult to debug things in development.


Enterprise certificates are needed for internal apps.

And you can't have Apple knowing too much about internal apps since they could reveal trade secrets or other confidential information.

It's not a simple situation to fix.


Apple has a very lucrative business where they have a sizable legion of followers who will spend almost any amount of money to own their products. They don't really need new customers, and aren't likely to convert many with traditional advertising tactics, so they just have to sit back and continue iterating on what they have to get existing customers to keep coming back for newer stuff. Basically, their business is all about draining money from their existing userbase, not expanding it.


This is exactly what Apple would do to a small indie developer if they found they did something similar. Glad to hear that they aren’t afraid to do it to a company like Facebook.


In this case the punishment fit the crime - break terms of enterprise distribution cert, get enterprise cert pulled.

However, it's very possible that if a smaller company did this that all of their certs, apps, and dev accounts would get pulled. Facebook does still get some special treatment.


Facebook does still get some special treatment

I am pretty sure others have had their entire accounts nuked for less.


well, I mean, of course... Facebook is still the proverbial 500lb gorilla, bad actor or no. Apple's going to be very slow in nuking a big player that drives a huge chunk of device usage.


Eh, I think Facebook would lose more money each day that conflict dragged on until they complied with apple’s policies.

Users can always access Facebook through safari.


Kicking Facebook's apps off the appstore would include WhatsApp, Messenger, and Instagram. It would be a bigger deal than logging into Facebook.com on safari.


Instant antitrust lawsuit if apple did that imo. They already have the good guy points here, no need to go overboard and become the bully.


let's do it... I'd love to eat popcorn and watch that play out.


Even ignoring directly related apps like Messenger, Facebook is the main way I log into a large chunk of unrelated apps on my iPhone including games, food delivery, shopping, etc. Nuking the main Facebook app could cause harm to a huge number of users and third party developers.


You can do into with Facebook over Safari and not the Facebook app.


is it clear whether Facebook would have more to lose than Apple if its app were banned from iOS?


I think Facebook has more to lose. Apple has some of the most loyal customers on the planet, and everyone subconsciously hates Facebook anyway.


I think Apple is right here — they’ve detected a breach of term and shut it down.

But I still think they are wrong for blocking 3rd party apps. I understand they believe it is for my safety and security, but there needs to be a happy medium. They should have a way for experts to side load apps.


I think you're missing the point. Experts do have a way to side load apps, through enterprise certificates and developer certificates. Facebook was distributing an app to consumers using the enterprise certificates, to collect data, in somewhat malicious terms, which is a direct policy violation of using an enterprise certificate.


I think jedberg is saying he wants to be able to load whatever software he wants on a device he owns. Is this really controversial? There's no good pro-consumer argument for making it impossible. It's OK to make it technically challenging to prevent malicious software from getting on lay people's devices, but blocking it full-stop? If I own a device I should be able to put whatever I want on it. It's mine. Ownership means something. I'm not licensing my phone's hardware. I own it. I can smash it to pieces if I want, why can't I change the bits inside?


> There's no good pro-consumer argument for making it impossible.

Possible arguments:

1. More security because of smaller attack surface for malware.

2. Higher average quality of apps because of curation.


So make iPhones like Pixels. If I want to root the device, make it simple, make it factory wipe the device, and flip a bit that opts me out of software support. (I know Google doesn't do this last one, but I'm not opposed, I know what I'm doing.)

But no. I have to buy a $1200 mini-computer and then accept the arbitrary whims of Apple on what code I can run when.


> I have to buy a [...]

That's the clue: You don't _have_ to. Buy a Pixel if you want to root something.


Isn't that what rooting is for?

I don't think it's controversial to say opening up ways to load apps outside of the app store will make it far, far harder for Apple to make any performance, security and stability guarantees about their devices. So if you choose to bypass Apple's ecosystem, you are on your own and can't blame Apple for anything that goes wrong.


I did jailbreaking for a while. It means being on an old OS all the time because it takes time for the jailbreaks. And I shouldn't have to jailbreak to side load apps. There should be an officially supported channel.

> make it far, far harder for Apple to make any performance, security and stability guarantees about their devices.

You mean like my laptop? Somehow they manage to maintain guarantees despite the fact that I can load any software I want.


To be fair, you can sideload apps on to your iPhone, it just that if you are not part of the Apple Developer program you'll need to resign them every seven days.


I am an Apple Developer, but that still requires me to use open source apps, since I have to compile it myself. Also it's a lot of effort.

It would nice if I could just go to a web page, click a link, and say "load this app, I accept the performance/security risks this entails". Like I do with my laptop.


> I am an Apple Developer, but that still requires me to use open source apps, since I have to compile it myself.

As I've mentioned in another reply, you want to use Cydia Impactor to resign apps.


"You mean like my laptop? Somehow they manage to maintain guarantees despite the fact that I can load any software I want."

I don't think that's true. I bet an iPhone is a lot more secure and stable than a Macbook Pro.


> I don't think it's controversial to say opening up ways to load apps outside of the app store will make it far, far harder for Apple to make any performance, security and stability guarantees about their devices

Why would this necessarily be the case? Apps on iOS are already pretty restricted as to what they can do - they can only access files they create (or have to ask for permission), they have to get permission to use the camera/microphone/etc, they're throttled pretty severly when they're in the background, and they can't modify any parts of the system UI. Even if you did install a malicious app, what would it be able to do?


> good pro-consumer argument

So you support apps like this Research one being made available to teens ?

Because that's what side loading apps gets you. Only except Apple can't stop it.


> So you support apps like this Research one being made available to teens ?

I 110% support that. Freedom is good. Hopefully their parents are involved enough in their lives to have explained the dangers of such things to them. Or perhaps Apple provides a parental control to allow that, but at least it would be possible for the parent to allow.


Freedom tends to let one do all manner of unsavory things. On balance, it’s still better than the alternative.


The argument isn't whether specific parties should produce malicious apps. Obviously any rational person would say no, depending upon what your own definition of malicious is (many have argued that a consenting party being paid $20 per month in exchange for data collected from their device is not malicious).

The argument is whether Apple should be the arbiter of what is considered a proper use case for an app or whether an individual should be. This argument is as old as the hills. Should the government be able to dictate to me what the correct size of a soda at McDonald's is? This is roughly the same argument. Although in Apple's case I think the restrictions have more to do with creating a reputation for consistency and quality.

I can install most any software I want on my PC but because of that you could argue the overall experience on a PC is sub-optimal compared to an iOS device. It's all about what's important to you. Personally I think Apple should be able to enforce whatever restrictions it chooses for its apps and customers are free to pick a different device with fewer restrictions. The developers are the ones who don't have a choice in this because they have to make apps for iOS if they want to get the largest possible user base so they have to abide by Apple's rules. I think the antitrust case for developers against Apple is pretty strong at this point, but I think the argument that I should be able to install what I want because it's my device is pretty weak.


Yeah, Apple have to step in here - otherwise they risk Enterprise certificates being used widely to violate Apple's AppStore restriction (which is what FB was doing), which is clearly not in Apple's best interest.


> Experts do have a way to side load apps, through enterprise certificates and developer certificates

Only their own apps. You can't use that mechanism to distribute an app to other "experts", which makes it of limited use in practice. You can distribute as source and require them to build it, but then everybody who wants to install your app on their device also needs a Mac.


I meant I want to side load apps on my phone that I don't write that other people make that perhaps violate Apple's rules. Like one that replaces springboard for example. Without having to jailbreak.


I agree. I would like to see something like we see with Linux distros. Whether I'm using apt, yum or dnf I can add a third-party repo for my package manager to download and install from. When I was into jailbreaking my phone that is what this basically meant to me even though I had to go with a different package manager (I think it was called cydia).


> Like one that replaces springboard for example.

This is not something that apps can generally do.


They can in a jailbroken phone. I want that functionality without all the hoops of jailbreaking.


Life is unfair and that apply with a wide variety of subject.

“I want to live without all the hoops of death”


They’ve also been expanding the reach of TestFlight apps through public invite links. There are some notable apps (iSH, a Unix terminal emulator, comes to mind) that are only distributed through TestFlight, since that sort of thing would never make it through App Review.


Yeah testflight distribution is a decent workaround, but the limit the number of installs. Also you have to pay Apple for the ability to distribute through testflight.

I want a way for a 16 year old kid to make an awesome app and then distribute it to whoever wants it. Like back in the shareware days.


like, the App Store? Is it just the $99/yr that you object to? Because you could offer some scholarships to promising programmers. The kid already has a Mac, I bet he can talk his parents into a developer account if he's made an awesome app.


No, like apps that don't get approved in the app store. Like some cool springboard replacement, or an ssh client.


> or an ssh client.

FWIW, I have a few ssh clients on my iPhone (Termius, Prompt, iTerminal) that came from the App Store. Termius even offers mosh. Why wouldn't they be approved?


They didn't used to allow them for some arbitrary reason. It was just an example of something I might want that might not get approved.


When did they not allow SSH apps? I remember using an AppStore SSH app on a first gen iPad about when it came out.


I bought Panic's Prompt for my iPhone 3G. I don't ever recall a time they weren't allowed.


There are an infinite number of apps that can be made that aren’t ‘cool springboard replacements’.

Why is that even remotely important?


They were just examples or things that won't get approved that I might want to install.


I know of a lot of apps that are attached to having an active patreon sub (via testflight downloads).

The only thing I can think of that would be a problem for that 16 year old kid (or alternatively, a sneaky black hat) is permissions. Maybe a color coded permissions model where green means can only access the most basic systems, yellow means could access some personal data, red being can access very important or practically all your data, you must trust them implicitly before installing.


Does iSH really run afoul of the App Store guidelines? Seems to me that it's effectively the same thing as the various iOS Python IDEs, just using the Unix stack instead of Python. In particular it's an x86 interpreter, not a JIT...


Apps of this category must be classified as "educational", which is hard but not impossible to justify for iSH.


TestFlight apps do go through a review process, albeit a far more limited one.



I'd like to be able to side load close source apps too.



In practice, it means that when a company gets in bed with that hardware / software ecosystem, Apple is always going to be in that bed with them.

Different companies will risk-assess that differently.


Safety and security sure is a secondary benefit for the userbase.

Let's not kid ourselves though, this is mainly about preserving the huge app store profits.


It's nice they have the capacity to do that to protect their consumer ecosystem (indirectly), however, if I'm making an enterprise ecosystem decision to build out a fleet of mobile tools for my company, "Apple has and has used the capacity to shut down the ability of the hardware we purchased to run software we wrote on that hardware" gives me pause adopting that ecosystem.

Their purpose was generally-accepted as just in this case, but what if next time, it's because someone started competing with them and they didn't like it?


Tech has a long and storied history of anti-competitive behavior by the platform owner, even without fancy signed code + crypto:

* Microsoft and the games they played with 4DOS, undocumented calls, testing for id strings and then claiming windows woulden't run on the "Incompatible" DOS variant

* Apple re-implementing shareware utilities in the System 6/7/8/9 days right into the operating system, sometimes not compensating the original developer for the idea

* MS Word using undocumented API's for better UX + integration over all word processors in the 90s/00s

* Twitter Changing Platform API and kicking out all sorts of useful apps on their platform

* Facebook doing the same

At least this time around, there's a clear kill switch so they don't have to be underhanded about it. And in this instance there was a clear and unambiguous ToS violation in play. Most of the instances I've listed went unpunished, or were only given a slap on the wrist after the damage was done.


The license to do that comes with a contract. Facebook broke the terms of that agreement. If you don't plan on doing the same, you have nothing to worry about.


That reads an awful lot like the reasoning "You don't have to be concerned about government privacy or authority overreach if you don't break the law."


Important detail - The agreement says that Apple may do this for the exact reason at hand here - Preventing misuse/abuse of enterprise certificate.


Isn't this exactly what the FTC is for, though?


The FTC is a good backstop, but in the time it takes them to resolve a (potentially antitrust) case, your company could go bankrupt. As an enterprise purchaser, it may not be risk I want to take on for the benefit of using Apple hardware and software for internal solutions.


This is having a real effect internally at Facebook.

In many ways this is a good punishment, disruptive to the bad actor and minimally disruptive/invasive to the consumer.

>Apple has shut down Facebook’s ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release “dogfood” (beta) apps have stopped working, as have other employee apps, like one for transportation


I love the thought of someone at Apple holding a meeting on this and saying "well, fuck them" while sending out the kill command on the CLI :)


While I have no sympathy at all for Facebook, this is a rather chilling reminder of Apple's ability to decide what you're allowed to run on your own phone.


Chilling isn't my takeaway. It's that Apple take the threat of surreptitious data gathering seriously and enforces its rules for other companies to that effect.


I think OP's stance is something like:

Given that Apple has the ability to control what software can and cannot run on your device (to a large extent), this is a praiseworthy use of this power, however, on the whole, it would be preferable for Apple not to have this ability.


Facebook still has this power on android. If you don’t want the protections of apples walled garden feel free to swim in the unregulated waters of android


Absolutely! We should have laws protecting our privacy online and offline, from governments and from private entities. We should be able to sue Facebook and their ilk into oblivion. Until then, anyone who stands for privacy is on my side and has my business.


In a world where there are no weasels like FB, constantly trying to see what they can get away with, I too would prefer that Apple not have that ability. But in the world I currently live in, I'll reluctantly side with Apple having that ability. And the instant they use it not to my liking, I can go buy some other brand of phone.


How would Apple be able to enforce any of its user privacy policies without having some control? Write the developers a sternly worded letter?


Leave it up to the user (or, possibly, their parents if they're under-age) and give them the tools for maintaining their privacy. For example:

Have appropriate app permissions (which we mostly already have).

State that only apps within the app store are monitored to be privacy-friendly/"trustworthy", while still allowing a relatively hassle-free way of installing apps from outside it, similarly to how Android does it (except that I don't necessarily trust Google to ensure that the apps within the Play Store are "trustworthy").

Label "untrustworthy" apps (similarly to how F-Droid labels potentially unwanted features).

Now, since Apple currently has more intrusive control, I want them to use it for "good", but I don't want them having this power in the first place. As an analogy, if there were policemen stationed on every corner in the city, I'd probably want them to prevent suicidal people from jumping off bridges, but that doesn't mean that I want the policemen to be there.

(For the record, I use Android.)


To me it’s a fallacy that even a highly skilled and knowledgeable person could set their own privacy settings to what they’d actually like. When you have huge forces arrayed against you, an powerful advocate is necessary.


> To me it’s a fallacy that even a highly skilled and knowledgeable person could set their own privacy settings to what they’d actually like.

Do you mean on a phone or on any computing device? I'm pretty confident that I've set the privacy settings to my liking on my GNU/Linux laptop. (Well, with the giant exception of tracking by websites, but I think that uBlock+uMatrix on Firefox still deal with that slightly better than Safari's blocking.) You could argue that in this case Debian (or the like) is my powerful advocate, but it's a powerful advocate who doesn't take away control of my device.


It's either that, or they employed their market dominance to strike at their competitor. Without a public regulator that fines both Facebook and Apple for their respective abuses, we will never know which.


A public regulator of tech oligopolies is a great idea. Until that happens we have few choices in whom we chose to trust. Apple is no corporate saint but for now it is the best of the lot because of its business model.


You really trust the government to regulate tech fairly?


Government regulation often comes about as a result of failure to self-regulate. Facebook doesn't care about torches and pitchforks, but your Congressional representative does. Now, were FB (or tech companies in general) smart, they'd self-regulate before the citizenry starts digging in the garden shed for implements.

But tech companies, and especially FB lately, aren't smart. And, like the three year olds their maturity reflects, they bitch and moan when the hammer comes down. Well hey, Ayn, I've got an idea: stick a finger to the wind and sort your shit before the Big, Bad Government(tm) comes a-knockin'. Because when they come, shit's going to change and probably not in a way you like. Might as well get out in front of that narrative.


My congressional representative is spending 2/3rds of his time fundraising.

https://bulletin.represent.us/much-time-congress-members-spe...

Especially in the south, the only thing they have to do is demonize “them”, wave a bible in one hand and a gun in the other to get re-elected while raising money from corporations.

Neither they nor their constituents vote based on “privacy”.


Completely? No. But when it comes to data and privacy I think it'd be better than today's wild west.

Who would have thought ten years ago so many people would be willingly give companies a live feed video stream of the inside and outside of your house, along with voice recordings of everything?


And the government would never use its power to design laws against its enemies in a Democratic society.

A Democratic society ruled by the majority never passes laws that discriminate against minorities and is never hostile against minorities....


I trust them ("them" being developed-world democracies; obviously there are more concerns with, say, the Saudis) more than I trust tech to self-regulate.

You're not going to get a self-imposed GDPR.


But private corporations also can’t forceable take away your freedom and your property. If I have the choice between giving the government more power and private companies. I worry a lot more about government power.


> But private corporations also can’t forceable take away your freedom and your property.

Sure they can. GDPR was necessarily because tech has largely obliterated the right to privacy online, with like buttons, analytics, ad networks, etc.


Well considering that the worse that corporations can do with data is sell your privacy compared to the worse that the government can do - throw you in jail if you give them too much power. I’d rather not give government more power.

Trump has outright said that he is in favor of jailing journalists for spreading “fake news”. You know if the government passed a law to “protect privacy” they would give themselves an exemption and want a backdoor.


You can debate worst-case "the US gets taken over by Nazis" scenarios, but it's also important to consider current use.

I find Facebook a far more significant currently active risk to my privacy than I do the government. I'd love to see a GDPR in the US.


I’m not debating the worse case. I’m going by history of how the FBI acted in the 60s during the Civil Rights Area and how it currently acts with the “War on Terror” and the “War on Drugs”.

Having a government that is actively hostile to minorities - religious, race, nationality, or sexuality only takes a populist leader who speaks toward their prejudices....


Oh, come on.

If we're going to go historical, we'll have to include company towns (which Facebook is revisiting as a concept, incidentally) and debt slavery, the Pinkertons machine gunning strikers...


It isn’t “historical” what is happening today in Gitmo, being able to be locked up without a trial if you are deemed a “terrorist”, or secret warrants.


It depends which one.


I think it’s a bit of a stretch to say Apple and Facebook are competitors. Apple makes its money selling stuff, Facebook by selling attention.

That being said, the incentives for Apple to become more like Facebook are quite strong and you can see it in the direction Microsoft has gone with Cortana and in-OS ads.


So who are you positing as becoming more like Facebook, Apple or Microsoft? Or do you assume that they’re equivalent?


Are Facebook and Apple competitors?


iMessage <-> WhatsApp. But that's a pretty minor business segment for Apple...


Not arguing about the point that Apple can decide what runs on your phone, but in this case Facebook was in clear violation of the terms of agreement. And they only shut down their enterprise apps not the actual Facebook app.


It's not really an agreement, if you want to support Apple customers you either accept or leave that market to Apple itself. For something like social networking, that's absolutely massive, and we can't say that Apple has been shy to duplicate and replace applications with their own versions, and push them along with their ecosystem.

What we see here are two monopolists fighting, it's hard to pick a side but imagine what chances a startup has in this environment. The robber barons are back.


In this particular case the agreement is not the app store agreement but a entreprise certificate for which you have to apply separately and which gives you special treatment. It enables you to create and distribute apps without going through app store review under condition that you will never distribute them outside your organisation. Facebook quite deliberately violated this rule.


> it's hard to pick a side but imagine what chances a startup has in this environment.

Facebook is constantly paranoid about new social media networks taking away their advertising space. This is them admitting a startup has a chance in the environment. Social media platforms gain huge traction and lose favor every year. Facebook sticking is an unnatural position and they know it.

Apple's flagship product, the iPhone is suffering from longer and longer upgrade cycles as the category matures. Many people are starting to ask if a new product category can replace smartphones. This is coming at a time when Apple doesn't have Jobs, and it's possible they won't be in the early wave of innovators on the next tech wave. A small innovative team could outperform Apple on this front.


Seeing that there are thriving competitors for every app that Apple bundles. There are existence proofs that Apple hasn’t pushed developers away.


This is exactly the kind of thing I want them to decide that I'm not allowed to run on my phone.


Yes. While they were justified this time, it is possible that they won't be justified in the future. Management now is not management then. Anything that outsources control of this level to a third party is a business risk for a company of any size. We need better solutions.


It was a voluntary agreement (license) that was broken. It's hardly chilling.


Given the number of people using iPhones, you basically have to support the platform in order to make any money, so I wouldn't say the agreement is really "voluntary".


The internal cert is different from a regular application cert. The conditions for use are explicit.

Apple and Google, these corporations signed a license agreement to conduct themselves a certain way and failed to do that WRT the enterprise org cert. They were not forced into signing an agreement and have access to excellent legal council. This is a manifestation of the prevailing culture.

Furthermore Facebook is ruthless about enforcing their IP to "their" data (also voluntarily offered by users) and Google dictates the same way, except much of Google's data is hoovered up. These companies have all have a history of dictating and exclusion.


I know this is crazy talk, but facebook could release the code and allow users to load onto their phone using xcode.


You're not wrong about the scale of their abilities.

At the same time I think it is good to have someone ... make the right call. It's just that we have to hope they keep making the right one.


Glad to see rules being enforced on a powerful organization.


They have stripped them of the enterprise certificate. This does not affect installed apps from the app store of course.

But still a clear statement from Apple.


It does affect any internal apps Facebook has, though.


Only ones signed on the same certificate.

One expects the reason they reused their primary enterprise cert is so they wouldn't have to justify their spyware in a new request to Apple...

You build a house out of kerosene jugs, don't go crying when it burns down.


The article indicates their lunch menus and staff transportation apps don't work.

> Apple has shut down Facebook’s ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release “dogfood” (beta) apps have stopped working, as have other employee apps, like one for transportation.

I'm totally fine with this house burning down. Just noting that this is apparently having very significant internal effects, even if the public Facebook app is fine.


> I'm totally fine with this house burning down. Just noting that this is apparently having very significant internal effects...

And this is ALL on Facebook and NOT Apple. Facebook understood the consequences when they decided to abuse the Enterprise Cert. They took the risk and got called on it. This is Facebook's fault. Full stop.


Full stop, no arguments, I’m right? Are you open to discussion or here to impose your ideas?


In a way, that seems like the best counterstrike by Apple. Minimally disruptive to the public at large, massively disruptive to the bad actor.


"Only" is a little bit of an understatement.

Almost every single employee that has an iPhone is running beta/dogfood releases signed with the enterprise certificate. Facebook, Workplace, Messenger, Work Chat, Instagram all fall under this umbrella. The "lunch app" people are talking about also lists open tasks and calendar events.

It's going to be internally catastrophic.


Sounds like an own-goal that they could’ve avoided by not being slimy.


Well, if FB used them the way they were obliged to, Apple wouldn't have to take this step.


I keep going back and forth regarding whether Onvaro is just "opposition research" or a sign that while Facebook is still as powerful as ever, that they are running out of product ideas. Of course it could be both, but the use of Onvaro and 'Facebook research' have a hint of desperation.


So this is what Schadenfreude feels like.


Detoxing the masses seems to be a pipe dream for long now. But if nobody would like to work for them, this might mark a point.


2 of the big five in a dispute over "ethics of technology (ab)use". One commenter had the thought, that this reaction from Apple is just straight aligned with the rules they created for every corp - regardless of their market share or $.

But - i guess there will be negotiations. FB is in a position to make deal.

Bad press in the dev-world - on dev-topics - didn't hold the masses and average Joe back to continue using FB. And this fail won't, too. Me sounding fatalistic, i know. But this outrage in the dev-world isn't enough to demask the beast.

Red lines crossed - and next week the PR department will fix it.

I don't know what needs to happen until the masses of FB-addicts switch to "open technology" and leave their silos.


I don't know that Facebook is in a position to make a deal. Apple just won a mountain of positive press by taking a tough stance on this, and without having to actually take Facebook's legitimate apps away from their users. I think Facebook is just going to have to live with the consequences of their decisions.


Hopefully this (likely, and unfortunately only momentary) pause in facebook employees' evil progress will inspire even a few of them to quit and use their experience for good instead.


This isn't going to stop anything. Attribution was already "laundered" through multiple different agencies and firms who were conducting this research.

They'll just cut a check to another company and proceed from there and/or a company will just sell them the data on "teen social and mobile usage" and Facebook will be able to truthfully state that they had no idea the means by which it was collected.


It's heartening to see that Apple isn't afraid to rap their knuckles when they misbehave, despite their being such a force in the tech space.


Can somebody explain the technical specifics of what was installed and what is revoked ? I'm not familiar with with iOS. My assumptions are: The original app, which was distributed by fb, installed a systemwide CA to MITM traffic after prompting the user. Is this not available to regular apps distributed on the store ? This app was not on the app store but distributed out of band. In order to sideload apps on iOS, they still need to be approved by Apple ? So Apple maintains a whitelist of developer certificates who can side load apps. Now, Apple has blacklisted this signing cert. However, this doesn't do anything to the CA, right ? However, the article says, "Revoking a certificate not only stops apps from being distributed on iOS, but it also stops apps from working." How does this work exactly ? Apple triggers all the clients in the world to freeze/remove these apps ?


> The original app, which was distributed by fb, installed a systemwide CA to MITM traffic after prompting the user.

Correct.

> Is this not available to regular apps distributed on the store ?

No, this is OK; VPN apps do exactly this, but they go through review to make sure that they are actually VPN apps and not, well, essentially what Facebook is trying to do here.

> This app was not on the app store but distributed out of band.

Yes.

> In order to sideload apps on iOS, they still need to be approved by Apple ? So Apple maintains a whitelist of developer certificates who can side load apps.

You haven't mentioned it, but I think it's important to make the distinction about the two ways to sideload apps on iOS: you can self sign your app yourself for your device (generally via Xcode), which Apple doesn't really check at all, or you can be a company, get an enterprise certificate, and use this to sign apps and distribute them to other iOS devices, as Facebook was doing here. The catch is that you are supposed to only do this internally inside your company.

> the article says, "Revoking a certificate not only stops apps from being distributed on iOS, but it also stops apps from working." How does this work exactly ? Apple triggers all the clients in the world to freeze/remove these apps ?

iOS, as of iOS 8.4, periodically checks for revoked certificates and will refuse to run apps that were signed with something that Apple has blacklisted.


Thanks. A couple of questions.

>VPN apps do exactly this, but they go through review to make sure that they are actually VPN apps and not

A vpn app can tunnel network traffic, but it doesn't meddle with system certs or the CA. It doesn't doesn't get to decrypt TLS connections by default. So which one did fb do ? Did they just tunnel traffic, or did they MITM TLS traffic as well ? All the coverage about this story seems to be vague. If it's just the former, it doesn't seem that egregious since it is explicitly called out as a data collection app.

>iOS, as of iOS 8.4, periodically checks for revoked certificates and will refuse to run apps that were signed with something that Apple has blacklisted.

Again, I don't know how the system cert store is handled, but even if you can't run the app with the blacklisted dev cert, are the modifications that it made in the past (such as enrolling a CA) also reverted ? In this case, that may be the desired outcome, but in general, that state is not really a part of the app.


> A vpn app can tunnel network traffic, but it doesn't meddle with system certs or the CA. It doesn't doesn't get to decrypt TLS connections by default. So which one did fb do ? Did they just tunnel traffic, or did they MITM TLS traffic as well ?

Sorry, I should have been more clear. Most VPN apps tunnel traffic, but the Facebook app is going further and inserting its own root certificate, allowing them to intercept TLS traffic. Some apps, like Charles Proxy, do this, but it obviously has a legitimate use for this.

> are the modifications that it made in the past (such as enrolling a CA) also reverted

I haven't tried it, but I'd like to think that this is the case.


Wasn't Zuck trying to actively encourage the use of Android over iOS for employees anyway? :)


It's pretty crazy to think about what Apple is capable of doing now. By banning an app, they can easily kill a small company, and now they've caused some huge internal headaches for Facebook. I know Facebook broke their rules and totally deserved it here, but it's interesting to think about the power Apple has obtained by tightly controlling their platform.


You do bring up an interesting point. Apple's (expected?) responsibility here is to protect their users from malicious apps on their devices. It does seem reasonable for me what they are doing, but of course if they were to lose sight of their users' best interests, then this could become problematic. However, I think for issues like that we need to just trust the market to correct for that. If Apple were to destroy user trust, then I would not doubt that people would flock to their competitors (Google, Samsung, etc).


I see this as a start of a political battle between Apple and Facebook (maybe Google too with their Screenwise Meter app). First Facebook tries to push the limit of what Apple would deem acceptable. Then Apple pushes back and show that it's clearly not acceptable.

Now waiting for Facebook's response.


I'm curious as to what Facebook will need to do to get around this assuming Apple intend to have the certificate revoked indefinitely. Couldn't Facebook just start signing their apps with an alternative certificate Apple has already granted them?


This scares me. Not so much the action by apple ( they are flexing their muscle), but the reactions here. "Great!", is the jist.

It you think an unilateral revoke, and shutdown of a company internal tools, because of an external issue, without recourse is a good thing... I'm guessing you have no issues with Crazy EULA's, Monopolies, Corporate abuse, Corporations doing as they please. ( I can keep going down this slope.. )

Facebook had a program, with willing participants, that broke a third parties rules. We can argue infinitum about this.

But this is a company, STOPPING your usage of YOUR hardware, AFTER you purchased it (I'm talking about apple stopping Facebook from distributing internal tools as well, this is the side effect of this ). Think deep and clear about this. Are you ok with this?

Secondly, from the company (apple ) that literally turned everyones devices into wiretaps, globally, and ignored the issue for who knows how long... This is just.. wow. ( and they continue not to issue a formal reason for this ).

Just.. wow.


Yeah, no. Facebook had a cert for distributing internal apps. When one of their external projects was rejected by the App store, they used the internal cert to try and distribute it externally (circumventing the App Store). As a response Apple revoked the certificate that was being used in violation of its use agreement. There is nothing wrong with that action.

You're introducing a straw man argument by trying to make this about hardware ownership.


With due respect, I think you misunderstand what a straw-man argument is. This is not a different point. This IS post purchase control of hardware.

Would you be ok with Tesla disabling cars because you were using illegal drugs in them? Now do you get it? I'm not defending facebook. I'm telling you this behavior from Apple is truly scary. Apple is not law/moral/societal enforcement "police".

This is the ONLY way to run internal apps. and it wasn't one cert btw. Google has a similar "research app", their certs have not been revoked. Maybe because apple relies on google more? Maybe because they generate revenue from their search and app placement deals? Hrrm?

My point is simple, arbitrary revokes, without process, are a scary thing. Specially when they are done POST purchase, and have real tangible effects.


You just put up a line of straw men.

Tesla disabling cars -- tell us how you feel about that!

using illegal drugs -- Wow, I'd love to hear your thoughts.

not defending facebook -- Are ya?

behavior from Apple is truly scary -- Elaborate.

Apple is not law/moral/societal enforcement "police". -- Right, they just wrote the EULA and have the right to deny service.


And funny enough.. my point was JUST proven [0]

Google does the SAME DAMN THING! and yet apple did not go heavy handed, because, well, money???

But its great to see how an informed crowd like HackerNews behaves just like any other inflamed mob.

[0]https://techcrunch.com/2019/01/30/googles-also-peddling-a-da...


Since Apple didn't catch Facebook either, but reacted half a day after the media report, I don't think taking this 3 hour old story as "Apple isn't doing anything to Google!!!" is reliable: We'll see what happens.


(replying to the reply of my comment, since threading doesn't go further)

Do you think apple does not have reports of the number of users that have apps installed via an enterprise cert?

That's pretty much the basic type of stats you would gather when having an enterprise licensing/authority system. Fact is, they knew about this, this was not hidden by google OR Facebook.

Apple decided to release this the DAY after they had a huge privacy flaw in Facetime.


It's not the only way to run internal apps: They can also install them through XCode. Also, the revokation was in no way arbitrary, but due to a grave violation of the terms under which the certificate was obtained.


I mean, sure. Try managing thousands of devices that way though. lol


True! That's why there's enterprise certificates to make the process easier. Facebook just shouldn't have abused theirs for nefarious purposes!


Exactly this. I think Apple handles it perfectly on macOS: if you want to run an app downloaded outside of the App Store, you have to explicitly go to System Preferences -> Security & Privacy -> Allow apps downloaded from: anywhere. This provides a great mix of consumer protection against malicious code, and freedom for professionals to download and run anything on their machines. Disappointed in how they handle apps outside the 'walled garden' for iOS devices.


> if you want to run an app downloaded outside of the App Store, you have to explicitly go to System Preferences -> Security & Privacy -> Allow apps downloaded from: anywhere.

You can just right click the app and choose “Open”. That deliberate action will allow you to open an app from an unidentified developer without changing your Gatekeeper preferences.


> This provides a great mix of consumer protection against malicious code, and freedom for professionals to download and run anything on their machines.

Android has something similar. Remember the Fortnite fiasco?


I can't say I do, no


Basically, people were tricked into installing fake Fortnite APKs.


Yeah, but if you don't err on the side of freedom, then you're basically supporting Apple-style totalitarianism.

I'm glad that Microsoft's business model won out in the PC wars and I look forward to a time when Apple loses again in their home field. As a power user, I can't stand the amount of control has over my own hardware. In my profession, I can't afford to ignore Apple though. I really hope they lose their anti-trust case!


As others have said, all Apple did was revoke a certificate that was used to intentionally circumvent the AppStore. The fact that Facebook had a slew of internal apps that depended on that cert shows their stupidity, arrogance, or both. It's not Apple's responsibility to figure out how badly it will hurt if they revoke a cert that was used to violate their terms.


They can't test facebook tools or internal apps on apple phones, because they used their cert that signs facebook tools or internal apps to make consumer facing spyware in violation of their agreement (that they had been warned about before!).

Its not like they shut down their macbooks.

> Secondly, from the company (apple ) that literally turned everyones devices into wiretaps, globally, and ignored the issue for who knows how long... This is just.. wow. ( and they continue not to issue a formal reason for this ).

If you think there's a major equivalency of the bug on facetime, I can't help but think you're hopelessly biased.


With the news yesterday about Facebook's ambitious research project this seems entirely okay.

More

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: