Apple yoinks enterprise certs from Facebook, Google, killing internal apps, to show its power After briefly punishing Facebook and Google for violating the rules of its enterprise developer program, Apple has relented. Cupertino is in the process of restoring the digital certificates used by Facebook and Google to sign and distribute in-house iOS apps internally to employees, after revoking them within the past 24 hours …
I detect a little snark against Apple in this article, but FB and GOOG were being quite naughty here, and the rules of the Apple walled garden are very clear: you're a guest in their domain, and if you misbehave, you will be thrown out. FB wanted to slurp data, couldn't get that past the Apple censor, and tried to sneak around it.
So yeah, getting official Apple approval is like having a root canal, and they can be hellishly annoying, but on this one, I'm glad they slapped the miscreants down.
Sent my from Android device :)
It's correct to underline the power Apple has on its platforms is a double edged sword. It can be used 'for good' like in this case, but it can (and is) used also to hinder competition, i.e. allowing a browser which doesn't use the OS engine (and you wonder why.... maybe it does collect some data?)
When your rights depend on the graciousness of some king, and not from rules everybody must abide too, it's always at risk.
When your rights depend on the graciousness of some king, and not from rules everybody must abide too, it's always at risk.
On the plus side, it's not a choice you make by accident, and it appears Apple does take indeed abuse seriously. As far as I know you can't pull an app from phones worldwide on Android when you discover it doesn't do what it says.
I'm now waiting for regulatory action: if both Google and Facebook did not make it 100% crystal clear that every action was visible when using this app (and in a VPN that really means a LOT), I think they deserve the maximum fine possible in Europe - especially since they explicitly sought to bypass limitations that made this difficult, had prior warning and had no problem going after kids with this.
I'm now waiting for regulatory action: if both Google and Facebook did not make it 100% crystal clear that every action was visible when using this app (and in a VPN that really means a LOT), I think they deserve the maximum fine possible in Europe - especially since they explicitly sought to bypass limitations that made this difficult, had prior warning and had no problem going after kids with this.
The thing which interested me in Facebook's initial statement was that it was "unclear whether any EU citizens were impacted" - really? You're tracking everything a user does on the phone, and you haven't figured out their location. Riiight.
"I'm now waiting for regulatory action: if both Google and Facebook did not make it 100% crystal clear that every action was visible when using this app (and in a VPN that really means a LOT), I think they deserve the maximum fine possible"
If the sources I read on this got it right, the "user's" were told that pretty much all their usage would be monitored. That was the deal for getting the money. What Apple are upset with is that this tracking data also logged stuff Apple didn't want it's competitors to know.
All fair enough in my opinion but then they shouldn't have released tools that allow others to see all this detail in the first place.
If the sources I read on this got it right, the "user's" were told that pretty much all their usage would be monitored. That was the deal for getting the money.
From what I read, they monitored kids too, which is a big no no under any circumstance., also because there's an interesting conflict here. A minor cannot agree to a contract without parental consent - which is what you'd need to get that agreement to start with. What a minor CAN do is consent to the use of their data, but if I recall correctly that only applies to a particularly ring fenced set of circumstances such as medical data. That said, even if we step back from law, targeting minors who as yet are not that aware of what they agree to is IMHO a vile thing to do, and I would personally love the idiots who came up with that strung up by their testicles (IMHO more likely to be effective than yet another cost-of-doing-business fine).
What Apple are upset with is that this tracking data also logged stuff Apple didn't want its competitors to know.
I don't think that mattered at all. You see that anyway at Enterprise level.
What is "used for good"? The two companies violated the agreed upon contract terms and suffered the punishment as put out in the contract terms.
Nothing more, nothing less.
When your rights depend on the graciousness of some king, and not from rules everybody must abide too, it's always at risk.
And it has nothing to do with the graciousness of some king. These companies enter into a normal business relationship with each other and the terms are set out in advance. Violation of those terms mean that either side can cancel the contract without notice. That is normal business practice, I used to go through about 3 or 4 such agreements every month in my old job.
As a consumer, you also enter into an agreement with Apple, in this instance, and it is also clearly defined what both parties can and can't do. It is therefore your decision to enter into that contract or not.
This has nothing to do with abuse of power. It is simply two contract parties broke the conditions of the contract they entered into and suffered the agreed upon consequences.
In democratic countries, there are also rules about what in a contract can be valid and what not. You can't enforce contract clauses that do violate user (or any other party) rights - as the Law is above any contract.
It looks people like you think it's OK someone holds such powers without any "checks and balances" - one day you'll regret it - as people did in the past.
Evidently in this case Apple didn't "abuse its power" - but the very idea it can do whatever it likes on someone else's device should be of concern anyway. And still, it means FB or Google can't spy you, but Apple can. Cook says it won't - is it in a binding contract with no expiration?
Remember what Benjamin Franklin said....
"You can't enforce contract clauses that do violate user (or any other party) rights - as the Law is above any contract."
As these were business to business contracts the law offers much less protection than business to consumer contracts. If this impacted any B2C contracts by FB or Google it's their problem for essentially trying to provide something they didn't own in the first place.
And still, it means FB or Google can't spy you, but Apple can.
You might want to do some more reading on how iOS is secured. It's easier to lock down Apple gear than Android, partly because you have one set of variables instead of version/vendor/added code by manufacturer/drivers for each device. The unity of the Apple ecosphere actually helps, provided you don't assume it's 100% safe - the Facetime bug is a good reminder never to become complacent.
(by the way, still not seen a bugfix for that Facetime problem on iOS or MacOS)
iOS does what Apple wants, not what you wish. You have no warranty Apple will never spy on you, or its UI does what it looks to do. It's not a matter of security - it's a matter of privacy. Evidently a bug can break privacy - but privacy can be broken without bugs. Sure *now* is better than Google, but tomorrow?
Again, if you just rely on a commercial company "good will" to protect you, one day you can discover the main aim of a company is usually to make money. Even Windows didn't spy on you until Microsoft made a U turn and turned it into one of the worst spyware around. Do you believe the day iPhone sales doesn't go well, and if for any reason FB, Google & C. don't get regulated and make more billions collecting and using users' data, Apple may not make a U turn too?
Only rules imposed by an external, independent entity - usually called "State" - can ensure citizen rights are not broken for commercial gains. I want a device that can't spy on me because it would broke the law - not one that migh not spy on me until a CEO changes his or her mind.
Anyway, I understand why democracy is a risk - too many thinks that a "good dictator" could work. It never did.
"allowing a browser which doesn't use the OS engine (and you wonder why.... maybe it does collect some data?)"
There's no mystery about this one.
1) Impossible to guarantee any kind of safety with a separate browser.
2) Impossible to guarantee any kind of performance (battery life, etc).
iPhone and iPad users are better off they way it is.
It looks the Apple kool-aid worls very well, as the Cult Of Apple.
Sure Mozilla coders are all incompetent ones... only Apple knows how to make a secure browser (not FaceTime, it looks).
And well, your battery life example.... after the Apple "batterygate"....
Oh yeah, because Safari has such a huge market presence! Not sure why Apple cares if you use another browser, but I'm not sure why would you would WANT to use another browser on iOS? Surely only a drooling moron would want to use Chrome on iOS and give away one of the big benefits of using iOS in the first place - Google not being able to collect ever more personal information about you - so I assume you mean Firefox.
I like Firefox and want to see it succeed, and I use it on my desktop/laptop, but what would be the benefit of using it instead of Safari on an iPhone?
I detect a little snark against Apple in this article
A little snark?
Users of Android devices can side-load apps from outside the Google Play Store or other Android like the Amazon App Store or GetJar. That presents more danger from malicious code but it also treats mobile users like adults capable of making their own decisions.
Somehow action taken by Apple, which is universally seen as laudable, has been turned into "Android is for smart people, Apple is for thickos".
What is this obsession people seem to have with root canal treatment?
Over the years I've had some and only one hurt, and I mean HURT.
It was about 50 years ago and I had an abscess in upper right 2. The dentist could not get the local anesthetic to work, so dental nurse and receptionist held me down while he drilled away. No more details required here.
Subsequent dentists have had no problem getting the local anesthetic to work for any treatment (hint: If your dentist needs to inject into the roof of your mouth get an anesthetic gel applied first).
Ugh, if there is one thing I absolutely loath, it's injections in my mouth.
That made having all 4 wisdom teeth removed at once* somewhat of a miserable time for me. On the plus side, doing it all at once was the right thing to do because I'm not sure anyone would have gotten me back for the second time without applying much stronger anaesthetics like a rubber hammer.
And I only looked like a hamster once.
That said, I nearly fell out of the chair laughing (no doubt amped by anxiety and already administered anaesthetics) when the guy approached me and said in a very thick German accent "Zis is not goink to 'urt". For someone brought up on a steady diet of British humour that was simply too much situational humour so I lost it for a moment.
* apparently it's not OK if they grow at a 45º angle
Yup, and I’ve seen comments elsewhere on this debacle to the effect that one should be able to consent to what Facebook was doing (“if they pay me enough”, said someone)
But IMHO there’s no way they can obtain legitimate *informed* consent from an average user. With the installed root cert and a VPN Facebook were in a position to read *everything* between the phone and any other TLS protected service that wasn’t using certificate pinning (and probably break those that were), riding roughshod over security best practices, laws, and user agreements.
Yes it is unfortunate but keeping your personal information secure is pretty much an impossible task for the 99% of people who aren't full time IT professionals. And even for some of them.
Just look at what people caught up in this said - "I figured Facebook was going to get all my data anyway, so I might as well get paid for it". On its face, it is true that Facebook does steal a lot of your personal information, especially if you login to it using a browser and use that browser to visit other sites that have that Facebook 'like' button tracker code built in. But the volume and detail of data they were able to get access to with this app was a couple orders of magnitude worse!
I'd compare it to the difference between someone able to peek through a gap in the curtains in your living room window, and letting them set up 4K web cams in four corners of every room in your house, including the bathroom.
Where do I download the dancing ponies? I've only got a row of dancing monkeys.
No problems for my point of view about what Apple did, except that if they were anyone other than Facebook and Google they'd probably have had their App Store certificates yanked and would have been kicked off the dev program too.
You want more selfishness? Fine. I don't want people to give up all their information because it gives companies that seek to violate my privacy more ammunition with which to attack me. Either they will have better systems for gathering and using information I don't want them to have, or they'll have collected a bunch of my information from other people I've met. Does that logic work for you?
On the topic of saving people from themselves, that doesn't need to apply to everyone. I think most would agree it applies to children. Adults can walk into dangerous situations if they want, but if I see a child doing that, I'm going to stop them and explain why that is a bad idea unless someone else is already doing so, even if they're not my child. The app concerned here targeted older children, giving them a relatively substantial amount of money for a person in middle school while taking a bunch of information, probably without explaining exactly what information and what they were going to do with it. Am I allowed to save them from themselves?
This perfectly encapsulates the dangers of big tech cloud. FB and Google absolutely deserved punishment for what they did. However, it is when you disrupt companies' internal processes that they tend to learn an important lesson and make sure it never happens again by building their own internal infrastructure:
Do not make your operations dependent on someone-else's good will. Your suppliers should be working for your next purchase order, not lording it over you.
FB and Google lost access for 24 hours (was it even a full 24 hours?).
Apple have made a lot of noise, got some headlines, caused a mild inconvenience, thats it.
They havent really taken anyone to task have they? Remove the keys for a fortnight, that would have been taking FB and Google to task. OK make it just one week. Long enough to cause significant pain without convincing them to redesign their products without you. But doing it for 24 hours? It's just a publicity stunt.
If this was any other firm who's breached the rules, they'd have lost their keys forever. But now, Apple have opened themselves up to the lawsuit from the next infringer who gets their keys taken away. Since FB has done pretty much the largest breaking of the rules possible and only lost the keys for 24 hours, than any other firm should only get the same treatment...
I don't entirely agree. Apple has clearly demonstrated to both Facebook and Google that there are consequences to be faced when caught in such a flagrant breach of the terms of use of these internal certificates. You can be sure that neither will be quick to do it again.
Equally, I'm sure Apple are also conscious that if they'd left both companies high and dry despite any apologies and assurances about behaviour going forward, legal action would probably have followed.
I spent several years in the Android phone camp (after a year with an iPhone 3G) while also running an iPad, I am now all Apple user and I can see the value in both approaches. Right now as a consumer I value the relative privacy that Apple provide.
I think the disruption was appropriately long enough for each company to notice how much it impacts them, and no doubt executives are busy drafting policies for who is allowed access to the enterprise developer certificate to able to sign new applications, to make sure it can't happen again.
If Apple knocked them out for weeks, all it would accomplish is probably get a lot of Facebook employees to buy Androids and the quality of their iOS apps would suffer due to reduced internal testing. If you spank an unruly quick, one or two quick swats will accomplish the same thing as counting out 20 of them.
" if it had been a "normal" company, they would be banned for a month or for life. Google and Facebook? Less than a day. Pathetic."
If it had been a meaningful ban, I'd have given serious thought to moving over to the Apple ecosystem for the first time in my life. Maybe a few others might too.
As it turned out, Apple's infinitesimal disruption at FB+G isn't really going to encourage anyone to "think different". Not yet anyway. Just another routine cost of doing business, for FB+G.
Only if that is in the terms and conditions of the contract.
Facebook and Google both entered into a contract for enterprise development, which said they could only deliver apps through that channel to employees and if they tried to distribute software outside of the enterprise they would be in violation of the contract and their certificate would be revoked.
That information was provided to both parties before they signed up to the enterprise programme, so it is little wonder that both parties had their certificates (temporarily) revoked.
I think it is probably the other way round, if it had been a "normal" enterprise or developer, I doubt that the certificates would have been re-instated within 24 hours, it was only because it was Facebook and Google that they managed to pretty much escape unpunished - I think if it was a SME or a "normal" developer, they would either have been out on their arse or they would have had a month or so to think about their actions, before having their privileges restored.
A better analogy would be a hire car company renting out a fleet of cars, finding out that the company leasing the cars is deliberately using 10% of the cars for couriering drugs, and cancelling the whole contract. You can't cry about being deprived of the 90% of cars that weren't being used illegally.
And yes, they clearly knew this was against the T&C, which is why they didn't submit the app to the app store.
While Apple's action can be appreciated from a privacy and safety perspective,
This has absolutely nothing to do with privacy and safety. It is solely a breech of contract terms, terms to which Facebook and Google agreed to when they signed up for the enterprise development programme..
This is Apple just being consequent and enforcing the contract terms that both companies agreed to.
I am not an Apple user, I don't particularly like the company, but in this situation, revoking their certificates was the only thing that Apple could logically do, and both Facebook and Google knew that before they launched their respective spyware to private individuals who didn't work for Facebook or Google through the enterprise programme - the clue is in the name! If they had made the users employees or possibly contractors, it would probably not have been a problem.
This has absolutely nothing to do with privacy and safety.
I disagree. Facebook and Google's actions made Apple unknowingly complicit to a grievous breach of privacy, a breach for which they could get hit with a massive fine precisely because users trust Apple to check that applications do as they say on the tin, made significantly worse because it targeted minors.
As Apple controls the infrastructure, it holds the direct contract with the customer and so holds the resulting liability (digressing slightly, IMHO the main reason Google created a layer of isolation between itself and the Android eco system by alleging it was "open" - try using it without a Google account). It can pass on the fines to Facebook and Google now (as per contract), but FB & Google put Apple in the firing line of privacy policies at the exact time that Apple is trying to do the right thing.
I can well imagine that Apple is furious.
Note: IANAL, but have to deal a lot with consequential liability - that seems to apply here.
No. This was a programme purely for internal applications within an enterprise. The enterprise can do what it wants (within the law) with the apps distributed internally within the organization.
This was the companies abusing the programme to distribute them to external third parties. Those third parties had agreed to the intrusion by signing up to the app and getting paid for handing over the data.
The problem was that it was a breech of contract for the companies to distribute the apps to non-employees.
That the apps were data slurping sits in second place, but, of course, for news headlines it is much more interesting than a simple breech of contract.
Apple were faced with the possibility that if they made the ban too long, FB and Google would retaliate by doing things to discourage people from buying iPhones, such as reducing functionality of iOS apps. A monopoly wouldn't apply where FB was concerned because there are many independent Android makers each with their own skin. It might apply to Google but by the time it came to court an entire phone refresh cycle would have elapsed and Apple's logo would have a much bigger bite out of it.
Unlikely. Apple shutting Farcebook out would only affect Farcebook's internal systems, not Farcebook users, so any retaliation by Farcebook would be far more damaging to Farcebook. Same with the Googler. Apple can only piss off Farcebook and the Googler, but FB/G actions would piss off millions of Apple eaters, followed very quickly by advertisers sending warnings in the form ofnsmaller checks for denying access to the Apple eaters.
"This has absolutely nothing to do with privacy and safety. It is solely a breech of contract terms"
Both, I think. Firstly, it's likely to have been the reported privacy and safety consequences that got Apple's attention in the first place. Secondly, assuming that new certificates have been issued with the old ones revoked, the distributed apps will remain dead.
"What's missing is a way to enforce clear communication about what apps actually do, like nutrition labels on food. Without that, it's difficult to make an informed choice about which apps to install on either platform."
Actually there's a really easy way to make that choice - if the app is written by Facebook or says it is social media in any way DON'T install.
> Developers of iOS apps have no way to distribute unvetted apps apart
> from releasing app code as open source so other iOS developers can
> build and install such projects on their own gear
That’s not true; if you’re going to get users to build-and-install it themselves i.e. from XCode over USB, the starting point doesn’t have to be source code; it can be compiled object files in a library.
I find it really irritating that Apple won't let me have the two types of app I actually need.
1) network scan - WTF can't I see the mac addresses? Everything else on the network can.
2) Wi-Fi spectrum display - is so bad to see which channels have a nearby access point?
(Cue the android phone with no sim)
“While Apple's action can be appreciated from a privacy and safety perspective, it also underscores the exceptional power the company holds over its hardware and software ecosystem.”
In this complex and dangerous world of lack of security in computing it is good to have this. Security is an inconvenience, but breached security can be a disaster. Modern processors and languages lack security features like bounds checking. Brokered message passing between processes with non-shared memory would be best.
“That presents more danger from malicious code but it also treats mobile users like adults capable of making their own decisions.”
Nothing to do with treating their users as adults, – in fact, quite the reverse. That is just silly emotive language. In the complex world of security, even people with some expertise in security appreciate that it is done for us in the way Apple does it.
If anything it is Google’s ripping off of data, thinking the can do big-data analysis, use AI to control advertising, etc that is treating people contemptuously like idiots.
And Android based on Linux is inherently less secure that Apple’s Unix based on Mach.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
