Facebook ‘Research’ Study Abused Apple Program to Spy on Teens’ iPhones

Apple has revoked Facebook’s Enterprise Developer Certificates in the wake of reports that the social media firm paid users to sideload spyware onto their devices.

Facebook has apparently been secretly paying young users $20 a month over the last few years to install a “Facebook Research” VPN app that spied on their smartphone activity, according to an investigative report by TechCrunch published yesterday.

The social media giant apparently marketed the app as a “social media research study,” but the app itself was sideloaded on user devices by using an Apple program meant for internal app and beta software distribution. In other words, it was specifically distributed in a way that bypassed the iOS App Store.

Additionally, the “research study” required that users install a custom root certificate — essentially giving Facebook unfettered access to a user’s smartphone activity.

In other words, Facebook had the ability to see a user’s private messages, emails, web searches, and web browsing activity, as well decrypt any encrypted traffic. The social media giant even asked users to screenshot and submit their Amazon order history.

Facebook used all of this aggressively collected data to “track competitors, asses trends, and plan its product roadmap,” TechCrunch reported.

The Research app appears to be a clear violation of Apple’s developer enterprise certificate policies. Those certificates are meant to grant employers root access to iPhones owned by employees — but they are barred from installing those certificates on consumer-owned devices.

It’s worth noting that the Facebook Research bears similarities to another platform fielded by the social media juggernaut.

Back in August, Facebook was forced to remove its Project Onavo app because it conflicted with updated App Store policies over VPN data collection. Facebook never shut down its Research app, however, and its investigation found that both platforms featured strikingly similar code.

As TechCrunch puts it, Facebook was “purposefully disobeying the spirit of Apple’s 2018 privacy policy change while also abusing the Enterprise Certificate program.”

In the wake of TechCrunch’s report, Apple has taken the steps of banning the Research app and revoking Facebook’s developer certificates, snarling the company’s ability to run internal applications.

Apple told Recode that the Facebook Research app was a “clear breach of their agreement” with the Cupertino tech giant. The firm revoked Facebook’s distribution certificates to “protect our users and their data.”

And according to The Verge, Apple’s move is causing major issues at Facebook. All of the company’s legitimate internal applications are no longer working, apparently disrupting the daily workflow at the company.

It’s not a good look for Facebook, who is still reeling from a series of major data breaches and privacy scandals. It’s also a clear escalation of the bickering between Apple and Facebook over their differing privacy stances.

In a statement to The Verge, Facebook said it would shut down the Research app on iOS but would keep it on Android. Facebook’s primary consumer-facing apps remain available on all platforms.