It seems it’s not just Facebook who were breaking Apple’s Enterprise Development rules. Google too have been weighed and measured by their Cupertino based counterparts and found wanting. Apparently they were also misusing certificates issued for internal apps and using these certificates on Apps that consumers can download. Apple has responded to this violation by revoking Google’s certificates.
Yesterday we reported that Facebook was caught “tricking” teenagers by secretly paying them $20 to install a VPN app that had root access to their devices. The app didn’t just provide VPN, it allowed Facebook to scan the device on which it was install to see things like installed apps and the sites it was visiting and basically everything else.
Apple has what it calls Apple Developer Enterprise Program. Under the program large enterprises and organisations for example government branches get special certificates that allow them to host and deploy their own apps that aren’t subject to the stringent App Store rules. These apps can have root access to allow administrators to control every aspect of say enterprise issued phones.
Apple revoked Facebook’s certificates when they used this internal certificate to sign their spy VPN app. Although the two have since patched up things. Google’s violations were in my opinion less egregious, they were using their certificates for some customer facing apps such as Screenwise Meter. While technically speaking Screenwise is not an internal app per se as anyone can install it.
However since the app was in the Apple Store it meant that if someone had installed it, Google would gain root access to that device and be able to collect the same data that Facebook could. That’s against Apple’s very protective rules. Apple have thus practically neutered Google’s apps by revoking this certificate too.
— Sarah Frier (@sarahfrier) January 31, 2019
Normal iOS users should not be really affected by this move as only pre-beta release apps and only apps used within Google will not be working. Normal consumer facing apps are signed using different certificates which are subject to Store rules. As with Facebook, expect this matter to come to a swift close as Google and Apple make up.