Earlier this week, Facebook got caught with its hands in the cookie jar when it was discovered that the company had been inappropriately using an Apple Enterprise Developer Certificate to distribute a market research app to users, including teens, allowing it to collect a wealth of data from users who chose to opt into the program in exchange for a $20 monthly payment.
Now, on the heels of Facebook’s latest scandal, it also appears that Google has been doing pretty much the same thing — and for much longer. According to another report by TechCrunch, which first discovered Facebook’s malfeasance, Google has been running its own “research study” app called Screenwise Meter, also distributed using an Enterprise Certificate. The only major difference seems to be that Google is limiting the app to adults, except in cases where teens are “part of a family group,” which requires the primary user to be an adult parent or guardian.
Leaving aside the invasive nature of both of apps in question, Facebook and Google’s use of Apple’s Enterprise Developer certificates and their expanded capabilities to distribute the app to participants in these research studies is a flagrant violation of Apple’s developer policies; the Developer Enterprise Program is intended solely to allow organizations to “distribute proprietary apps to employees within [their] organization.”
Specifically, Apple’s license agreement for Enterprise Developers prohibits use of applications released under the program by customers or any other third parties, except on the company’s own physical premises and under the “direct supervision and physical control” of a “permitted user” such as an employee or a contractor who has specifically signed a written and binding agreement. While Facebook might be able to make a weak case that the $20 monthly payment gave participants the status of contractors, they would still have been violating the agreement by allowing the apps to be used outside of Facebook’s offices (the only exceptions Apple allows to the physical premises requirement are for car manufacturers and their dealerships, and hotel holding companies and their hotel properties).
Not surprisingly, Apple almost immediately revoked Facebook’s Enterprise Developer Certificates following the discovery of what Facebook was been doing with its Research app, which also wreaked havoc on Facebook’s internal operations, as this also rendered all of the company’s legitimate Enterprise iOS apps inoperable, including the under-development versions of its consumer-facing apps, since they’re signed with the same certificate and distributed under the same program.
So needless to say, it’s not particularly surprising that Google quickly came forward with its hat in hand, admitting that it made a mistake, voluntarily removing Screenwise Meter, and issuing an abject apology, clearly hoping to avoid Apple’s wrath that could result in its own Enterprise Developer certificates being revoked — and the huge impact that would naturally have on Google’s much larger collection of internal iOS apps.
“The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.”
Google, in a statement to TechCrunch
According to TechCrunch, the Screenwise app has actually been around since 2012, promising gift cards in exchange for side loading an Enteprise VPN app that reroutes all traffic through Google’s servers so that traffic and data can be monitored. It’s actually part of a larger program, Google’s Opinion Rewards, that encourages users to install tracking systems on all of their devices, from mobile phones to routers and smart TVs, even offering participants a special router that will report all internet activity back to Google. The program itself is of course still active; Google has simply pulled its iOS component to avoid running afoul of Apple’s policies.
It’s worth noting as well that Google seems to be more transparent than Facebook was about the details of its research data collection programs, even allowing users a “guest mode” option so that users can opt-out when they don’t want their traffic monitored. However, the issue at hand isn’t so much about the privacy issues — which are still significant due to the invasive amount of monitoring that takes place, consent or not — but rather the fact that both companies wilfully misused the privileges that Apple grants to members of its Developer Enterprise Program to access data on iPhones and iPads that should not have otherwise been available to third party developers — data that Apple itself doesn’t even normally have access to.
While it may be a bit surprising that Google’s Screenwise app managed to fly under Apple’s radar for so long, it’s important to keep in mind that Enterprise apps don’t go through any kind of vetting procedure by Apple. In fact, since they’re only intended for internal use by companies, Apple doesn’t necessarily even see these apps. It’s reasonable to assume that Apple expected it could trust two of the largest companies in the world to abide by the terms of their developer agreements.