A Techcrunch report revealed that Facebook has been using an Apple-issued enterprise certificate to circumvent its official app store and distribute internal, employee-specific apps to outside individuals, even though the certificate is only meant for official company use under its Developer Enterprise Program.
The app was named "Research." Facebook allegedly paid individuals up to $20 to install the program, which enabled the social media giant to access sensitive user data. Google aped this exact maneuver using an app called Screenwise instead.
Will Strafach, a security expert, said: "If Facebook makes full use of the level of access they are given by asking users to install the certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps - including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed."
More than 35,000 employees in Facebook, and 94,000 Google employees may have been affected by the data privacy lapse. Given the sensitivity of the aforementioned information - private messages, digital media, and personal web searches - the misuse has major implications not only for tension among the tech behemoths, but for data protection and the integrity of digital media.
Apple doesn't normally grant app makers the authorization to bypass the centralized app store, but in this case, since the apps in question were created within the Enterprise Developer Program, they weren't vetted as they would normally be.
"We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization," Apple said in a statement. "Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data."
Facebook issued a statement saying, "There was nothing 'secret' about this. It wasn't 'spying' as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate."
Some analysts believe that the intent is relatively benign and par for the course in Facebook's industry: "The information collected is the same information any marketer wants to know," said Jeremiah Owyang of Kaleido Insights. "How people use their apps, where else they go on their phones. That's not a bad thing. They want to understand how we interact beyond Facebook and how we interact with other chat programs."
Apple temporarily closed access to its certification. Facebook is attempting to renegotiate the terms of the enterprise certificates to retain the apps on employee devices. Some speculate that Apple may completely remove Facebook-owned apps from their centralized store.