Apple Shut Down All of Facebook's Internal Apps When Revoking Enterprise Certificate [Update: Fixed]
Facebook is no longer able to use or distribute important internal iOS apps after Apple disabled the Enterprise Certificate Facebook was abusing to surreptitiously gather data from iOS users right under Apple's nose.
Since 2016, Facebook has been paying teens and adults $20 per month to install a data gathering "Facebook Research" app that harvested all kinds of sensitive details from participants.
Apple had already banned Facebook's attempts to gather data through the Onavo VPN app, so Facebook used its enterprise certificate - provided to companies to install and manage internal apps for employees - to get participants to sideload the Facebook Research app, bypassing the App Store and Apple's oversight.
Facebook yesterday said that it was not violating Apple's enterprise rules, but as it turns out, Facebook was wrong. Apple this morning revoked Facebook's enterprise and said the social network had clearly violated the Enterprise Developer Program.
We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.
Facebook's revoked certificate wasn't just used for the Facebook Research app. According to The Verge, Facebook needed that certificate to run all of its internal apps, and with access revoked, none of those apps are working.
That means Facebook isn't able to distribute internal iOS apps like Facebook, Instagram, and Messenger for testing purposes, and internal employee apps for purposes like food and transportation are nonfunctional.
All of the apps that used the certificate "simply don't launch on employees' phones anymore," and Facebook is said to be treating the issue as a critical problem internally.
After the certificate was revoked, Facebook this morning said that it would shut down its Facebook Research app, though the company defended it and claimed that those who participated went through a "clear on-boarding process." The Facebook Research app for Android continues to be available.
Facebook is not going to be able to properly operate and distribute iOS apps on a wide scale basis without access to its certificate, so it's not clear how this situation will play out. Apple's tools are essential for internal apps, though Facebook will likely still be able to use alternatives like TestFlight if the certificate isn't reinstated.
Apple CEO Tim Cook has been highly critical of Facebook's lack of respect for user privacy in the past, and the two companies have had a dispute over the Onavo app, but this is the first time that Apple has directly punished Facebook and shut down one of its illicit activities.
Update: Facebook says it is "working closely" with Apple to reinstate access to internal apps. Employees, meanwhile, are said to be angry and unable to do their work without the apps.
Update 2: In a statement to The New York Times, Facebook says that Apple has restored its Enterprise Certificate. "We have had our Enterprise Certification, which enables our internal employee applications, restored. We are in the process of getting our internal apps up and running. To be clear, this didn’t have an impact on our consumer-facing services."