Apple banned the apps by revoking Facebook’s enterprise developer certificate — and later Google’s enterprise certificate . In doing so, the revocation knocked offline both companies’ fleet of internal iPhone or iPad apps that relied on the same certificates. But in response to lawmakers’ questions, Apple said it didn’t know how many devices installed Facebook’s rule-violating app. “We know that the provisioning profile for the Facebook Research app was created on April 19, 2017, but this does not necessarily correlate to the date that Facebook distributed the provisioning profile to end users,” said Timothy Powderly, Apple’s director of federal affairs, in his letter.
Facebook said the app dated back to 2016.TechCrunch also obtained the letters sent by Apple and Google to lawmakers in early March, but were never made public.
These “research” apps relied on willing participants to download the app from outside the app store and use the Apple-issued developer certificates to install the apps. Then, the apps would install a root network certificate, allowing the app to collect all the data out of the device — like web browsing histories, encrypted messages and mobile app activity — potentially also including data from their friends — for competitive analysis.
In Facebook’s case, the research app — dubbed Project Atlas — was a repackaged version of its Onavo VPN app , which Facebook was forced to remove from Apple’s App Store last year for gathering too much device data . Just this week, Facebook relaunched its research app as Study, only available on Google Play and for users who have been approved through Facebook’s research partner, Applause. Facebook said it would be more transparent about how it collects user data.
Facebook’s vice president of public policy Kevin Martin defended the company’s use of enterprise certificates, saying it “was a relatively well-known industry practice.” When asked, a Facebook spokesperson didn’t quantify this further. Later, TechCrunch found dozens of apps that used enterprise certificates to evade the app store.
Facebook previously said it “specifically ignores information shared via financial or health apps.” In its letter to lawmakers, Facebook stuck to its guns, saying its data collection was focused on “analytics,” but confirmed “in some isolated circumstances the app received some limited non-targeted content.”
Some of the ads asked for individuals ages 13-17 for a “paid social media research study,” while another advertised opportunities for users “Age: 13-35 (parental consent required for ages 13-17).” Facebook appears to have taken steps to obfuscate that they are behind the program, with TechCrunch reporting that some sign-up methods only mentioned its name during installation instructions.
“We did not review all of the data to determine whether it contained health or financial data,” said a Facebook spokesperson. “We have deleted all user-level market insights data that was collected from the Facebook Research app, which would include any health or financial data that may have existed.”
But Facebook didn’t say what kind of data, only that the app didn’t decrypt “the vast majority” of data sent by a device.Google’s letter, penned by public policy vice president Karan Bhatia, did not provide a number of devices or users, saying only that its app was a “small scale” program. When reached, a Google spokesperson did not comment by our deadline.
Google also said it found “no other apps that were distributed to consumer end users,” but confirmed several other apps used by the company’s partners and contractors, which no longer rely on enterprise certificates.
Apple told TechCrunch that both Facebook and Google “are in compliance” with its rules as of the time of publication. At its annual developer conference last week, the company said it now “reserves the right to review and approve or reject any internal use application.”
That’s the same type of policy violation that led Apple to shut down Facebook’s similar Research VPN iOS app, which had the knock-on effect of also disabling usage of Facebook’s legitimate employee-only apps — which run on the same Facebook Enterprise Certificate — and making Facebook look very iffy in the process.
Facebook’s willingness to collect this data from teenagers — despite constant scrutiny from press and regulators — demonstrates how valuable the company sees market research on its competitors. With its restarted paid research program but with greater transparency, the company continues to leverage its data collection to keep ahead of its rivals.“After its previous app was rightly taken down and blocked from operating, Facebook moved more quickly to reintroduce a market research product than it has to provide any substantial consumer privacy protections or resolve the significant abuse on its platform,” Sen. Blumenthal told TechCrunch. “At a time when the company is under investigation for its data practices and anticompetitive actions, the Facebook Study app is at best tone-deaf and ill-considered.”
Facebook and Google came off worse in the enterprise app abuse scandal, but critics said in revoking enterprise certificates Apple retains too much control over what content customers have on their devices.The Justice Department and the Federal Trade Commission are said to be examining the big four tech giants — Apple, Amazon, Facebook and Google-owner Alphabet — for potentially falling afoul of U.S. antitrust laws. Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
Everything you need to know about Facebook, Google’s app scandal