In the past For three years, Facebook has paid consumers as new services as 13 years to download Facebook Research, which gives the company extensive access to their mobile devices, according to a TechCrunch investigation published on Tuesday. In order to allow people with iPhones to participate, Facebook outstripped the strict privacy rules Apple set in its App Store through its enterprise application for internal use. Apple soon announced that it would remove Facebook access to its Developer Enterprise program, which also enabled the company to share custom iOS apps with its employees. Apple's decision is reported to cause a social shock by making employees unable to access the apps they use for their jobs.
Because Facebook is dealing with precipitation from another privacy scandal, it is worth unpacking how it works with research, especially as it serves as a good reminder to other applications you may already be using, especially virtual private networks. It wasn't just Facebook: Google also disabled a similar app on iOS devices on Wednesday. Both apps are still available on Android devices.
Facebook reports that it pays users between $ 13 and $ 35 a month to download the app using beta testing companies like Applause, BetaBound and uTest. Participants learned about this feature using TechCrunch. Minors had to obtain the consent of their parents. After approval, participants downloaded the app using a browser instead of using the Google Play Store or the Apple App Store.
Apple usually doesn't allow application developers to go around the App Store, but its business program is one exception. This allows companies to create custom apps that are not publicly downloadable, such as the iPad application, to sign in to a corporate office. But Facebook used this program for the consumer research app Apple says in violation of its terms. "Facebook has used its membership to disseminate a data collection application that is a clear breach of their agreement with Apple," the spokesman said. "Any developer using company certificates to distribute apps to consumers will have certificates canceled that we did in this case to protect our users and their data." Facebook didn't respond to the comment request.
Facebook needs to bypass Apple's usual policy because its Research app is particularly invasive. First, users need to install what is known as the "root certificate". This allows Facebook to view a large portion of your browsing history and other network data, even if it is encrypted. The certificate is a form-changing passport – Facebook can pretend to be just about anyone that it wants. For example, if you visit a clothing retailer's site, Facebook can use a root certificate to post a store and see the pants you are looking for. "You allow Facebook to pretend to want to be on the Internet – your device will trust the certificates they generate," says David Choffnes, Northeast University Professor and Mobile Network Researcher.
Facebook could not use its root certificate for each website or application, as some companies, such as banks, protect hackers from using them to attack human beings using a technique called "certificate attraction". Decides that it will not accept any certificates, but its own – it knows that it does not take phonics like Facebook. "This attack does not work for everything, but is still a large part of the applications that are vulnerable because it is not a standard threat model," says Choffnes.
"You allow Facebook to pretend that they want to be online – your device will trust the certificates they create."
David Choffnes, Northeastern University
The Facebook application also created a private network connection on demand, which means that it redirected all participants' traffic through its servers before it was delivered to its destination. It's basically what every VPN does – they hide traffic by moving it, allowing you to hide things like your location, maybe use Gmail in China or access streaming shows that aren't available where you live. However, VPN cannot usually see your encrypted traffic because they do not have the appropriate certificate. They can still view your unencrypted traffic, which may be a problem, but most of the web traffic today is with encrypted HTTPS connections. But Facebook has been installed with its root certificate could decrypt your browsing history or other network traffic for people who downloaded the research, possibly even their encrypted messages.
To use nondigital analogy, Facebook not only intercepted every letter sent and received, but also opened and read them. All for $ 20 a month!
With its VPN connection and root certificate, Facebook was able to collect extensive data from its members, including their browsing history, the applications they used, and how long, as well as the messages they sent. Facebook also asked some people to take screenshots of their Amazon order page, according to TechCrunch, indicating that the social network might be interested in consumer buying habits. But unless Facebook discloses what it was trying to learn from the research, it is impossible to know exactly what the application might have gathered.
"The ability to deal with the real things they did is a much bigger issue," says Mike Murray, Security Officer at the Lookout Mobile Security Company. "Because everything is back, you can't really tell what they did."
In the past, Facebook has used a similar app to learn more about its competitors. In 2013, the social network acquired Onavo, an Israeli VPN maker, which it may have used to explore popular new apps to either copy or buy. It used Onavo to explore, for example, WhatsApp that Facebook later bought in 2014. Last year Facebook started advertising Onavo in its iOS app under the banner "Protect", but later pulled it out of the App Store, according to Apple, violating the new data sharing policy Wall Street Journal.
Facebook is not the only company that is hungry for what consumers are doing on their phone. Google used the Apple Company program to distribute an app called Screenwise Meter, which also acts as a VPN. In exchange for allowing the technology giant to collect and analyze its network traffic, Google provides players with gift cards for different retailers. It is part of a broader Google consumer behavior program where participants can install tracking software on their router, laptop browser, and television. The difference is that Google does not need users to install a root certificate, which means that they cannot view encrypted traffic. However, Google also failed to comply with Apple's terms and has now disabled Screenwise's iOS version.
"The Screenwise Meter iOS app should not have been running under the Apple Developer Company – it was a mistake and we apologize," said a Google representative in a statement. "We have disabled this app on iOS devices. We have always been with users about how we use our data in this app, we do not have access to encrypted data in apps and devices, and users can opt out of the program at any time."
While the Facebook app is particularly invasive, many other companies also pay or reward users in exchange for information about what they do online, such as the data giant Nielsen. In any case, people voluntarily download these apps and programs, although they do not always understand the full amount of access, especially if they are not even 18.
Even if you don't plan to make money by selling your data, Facebook's latest privacy scandal is a good reminder of being cautious about mobile apps that aren't available for download in official app stores. It is easy to forget how much information can be collected or accidentally install a malicious version Fortune, for instance. VPN can be a great privacy tool, but many free users sell their user data to make money. Before you download anything, especially an app that promises to earn extra money, it is always worth looking at the risks.
Bigger WIRED Stories