For the past three years, Facebook has paid consumers as young as 13 to download a “Facebook Research” application that gives the company wide-ranging access to their mobile devices, according to a TechCrunch investigation published Tuesday. In order to allow people with iPhones to participate, Facebook sidestepped the strict privacy rules imposed by Apple in its App Store by taking advantage of a business applications program designed for internal company use. Apple soon announced it was revoking Facebook’s access to its Developer Enterprise Program, which also allowed the company to share custom iOS apps with its own employees. Apple’s decision is reportedly wreaking havoc at the social network, rendering workers unable to access the apps they use for their jobs.
As Facebook deals with the fallout from yet another privacy scandal, it’s worth unpacking how its Research app worked—especially because it serves as a good reminder for other apps you might already be using, particularly virtual private networks. It wasn’t just Facebook: Google also disabled a similar app on iOS devices on Wednesday. Both apps are still available on Android.
Facebook reportedly paid users between the ages of 13 and 35 $20 a month to download the app through beta-testing companies like Applause, BetaBound, and uTest. Participants found out about the opportunity via Snapchat and Instagram advertisements, according to TechCrunch. Minors were required to get consent from their parents. Once approved, participants downloaded the app via their browser—not through the Google Play Store or the Apple App Store.
Apple typically doesn’t allow app developers to go around the App Store, but its enterprise program is one exception. It’s what allows companies to create custom apps not meant to be downloaded publicly, like an iPad app for signing guests into a corporate office. But Facebook used this program for a consumer research app, which Apple says violates its rules. “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple,” a spokesperson said in a statement. “Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” Facebook didn’t respond to a request for comment.
Facebook needed to bypass Apple’s usual policies because its Research app is particularly invasive. First, it requires users to install what is known as a “root certificate.” This lets Facebook look at much of your browsing history and other network data, even if it’s encrypted. The certificate is like a shape-shifting passport—with it, Facebook can pretend to be almost anyone it wants. If you visit the website for a clothing retailer, for instance, Facebook can use the root certificate to pretend to be the store and see the pants you were looking to buy. “You allow Facebook to pretend to be anyone they want to be on the internet—your device will trust the certificates they generate,” says David Choffnes, a professor and mobile networking researcher at Northeastern University.
Facebook couldn’t use its root certificate for every website or application, since some companies, like banks, protect hackers from using them for man-in-the-middle attacks using a technique called “certificate pinning.” The bank or other company essentially decides that it won’t accept any certificate but its own—it knows not to take phonies like Facebook’s. “This attack doesn’t work on everything, but there’s still a large fraction of apps that are vulnerable because it’s not a standard threat model,” says Choffnes.
“You allow Facebook to pretend to be anyone they want to be on the internet—your device will trust the certificates they generate.”
David Choffnes, Northeastern University
Facebook’s app also established an on-demand private network connection, meaning it routed all of the participants’ traffic through its own servers before passing it along to its final destination. This is essentially what all VPNs do—they disguise traffic by rerouting it, allowing you to hide things like your location, perhaps to use Gmail in China or access streaming shows not available where you live. But VPNs typically can’t see your encrypted traffic, since they don’t have the right certificate. They can still look at your unencrypted traffic, which can be an issue, but the vast majority of internet traffic today happens over encrypted HTTPS connections. But with its root certificate installed, Facebook could decrypt the browsing history or other network traffic of the people who downloaded Research, possibly even their encrypted messages.
To use a nondigital analogy, Facebook not only intercepted every letter participants sent and received, it also had the ability to open and read them. All for $20 a month!
Using its VPN connection and root certificate, Facebook had the ability to gather extensive data from participants, including their browsing history, what apps they used and for how long, as well as the messages they sent. Facebook also requested some people screenshot their Amazon orders page, according to TechCrunch, suggesting the social network may have had an interest in consumer purchasing habits. But unless Facebook discloses what it sought to learn from Research, there’s no way to know exactly what the app might have been collecting.
“Capability versus actual things they did is a much bigger question,” says Mike Murray, the chief security officer of the mobile security firm Lookout. “Because that all happens on the backend, you can’t really tell what they did.”
In the past, Facebook has used a similar app to learn more about its rivals. In 2013, the social network acquired Onavo, an Israeli VPN maker, which it reportedly used to research popular emerging apps in order to either copy or buy them. It used Onavo to look into WhatsApp, for instance, which Facebook later acquired in 2014. Last year, Facebook began promoting Onavo in its iOS app under the banner “Protect,” but it later pulled the app from the App Store after Apple said it violated its new data-sharing policies, according to The Wall Street Journal.
Facebook isn’t the only company hungry for data on what consumers are doing on their phones. Google used Apple’s enterprise program to distribute an app called Screenwise Meter, which also acts like a VPN. In exchange for letting the tech giant collect and analyze their network traffic, Google provides participants with gift cards to various retailers. It’s part of a wider Google consumer behavior program where participants can install tracking software on their router, laptop browser, and television. The difference is that the Google app doesn’t require users to install a root certificate—meaning they can’t look at encrypted traffic. Still, Google wasn’t complying with Apple’s rules either, and it has now disabled the iOS version of Screenwise.
“The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program—this was a mistake, and we apologize,” a Google spokesperson said in a statement. “We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.”
While Facebook’s app is particularly invasive, a number of other companies also pay or reward users in exchange for information about what they do online, like the data giant Nielsen. In every case, people voluntarily download these apps and programs, though they may not always understand the full extent of the access they are granting—especially if they’re not even 18.
Even if you don’t plan to make money by selling your data, Facebook’s latest privacy scandal is a good reminder to be wary of mobile apps that aren’t available for download in official app stores. It’s easy to overlook how much of your information might be collected, or to accidentally install a malicious version of Fortnite, for instance. VPNs can be great privacy tools, but many free ones sell their users’ data in order to make money. Before downloading anything, especially an app that promises to earn you some extra cash, it’s always worth taking another look at the risks involved.