Facebook was found to have deployed apps to track user data and usage on iOS and Android, using a VPN app called “Facebook Research.” As TechCrunch reports, this app—which paid teenagers up to $20 a month to be surveilled—had root access to network traffic to be able to track all of the users’ activity. The app could collect private messages, emails, web browsing history, search history, and more as part of what Facebook calls Project Atlas, which was created with the goal of learning about new trends.
This app wasn’t available on the iOS App Store, however; it used a system called the Apple Developer Enterprise Program, which allows companies and developers to deploy apps privately. Users would download a profile to their devices which would allow the app to be installed. This is not uncommon, as many companies create apps for internal use, and don’t want to distribute them on the App Store. But in order to function on iOS devices, these apps still need to be installed with a developer certificate, which in this case was Facebook’s internal enterprise certificate.
When Apple discovered what Facebook had done—which is a clear violation of Apple’s developer account rules—Apple cancelled that certificate, effectively operating a kill switch to shut down the app. (Apple’s iOS devices check whether an app developer’s certificate has been revoked, and if it has, the app will no longer run.)
Read the rest of the article on The Mac Security Blog.