Facebook tries to sidestep Apple ban to keep capturing data

Facebook might be set for another stoush with Apple after allegedly rebranding the Onavo Protect VPN app banned by Apple for privacy violations earlier this year and made it available as a direct download to users.

TechCrunch reported that the social network pays people aged between 13 and 35 up to US$20 a month plus referral bonuses to install a Facebook Research app for iOS or Android directly from its servers.

Apple has strict rules for how developers should distribute apps, and allows only direct installation of software from outside its App Store in limited cases for enterprise developers. 

Others must submit their apps to Apple for review before they can be made available via the official App Store.

Guardian Firewall app developer Will Strafach noted that Facebook gets around Apple's App Store requirements with a top-level root enterprise certificate for the app.

This allows installation of the app from outside the App Store, a practice that Strafach said violated Apple's strict policies.

"This is extremely against Apple’s rules. They are defiantly using an enterprise certificate to totally sidestep the App Store," Strafach told iTnews.

"No other company would even dream of doing this."

iTnews was able to download a copy of the app from Facebook's server. 

Decompressing the .ipa package revealed several binary files with "Onavo" strings, indicating that the app is the same VPN program that was banned from Apple's App Store in August last year for violating data collection policies.

The current version of Onavo Protect has been renamed as PowerLogs.app. If it makes full use of Facebook's enterprise certificate, the app could capture a large amount of usage data, including private messages on social networks and encrypted data.

the Root Certificate they have users install so that they can access any TLS-encrypted traffic they'd like. pic.twitter.com/bybxvJuOL4

— Will Strafach (@chronic) January 29, 2019

Onavo Protect had been provided within Facebook's main mobile app since 2016 and was used to monitor iOS users' activity until it was banned by Apple.

Despite being kicked out of Apple's App Store, Onavo Protect by Facebook remains available on Google Play.

Facebook declined to comment on its use of the enterprise certificate or how many people have downloaded the Research app, but said the social network had been transparent about the app's purpose.

“Like many companies, we invite people to participate in research that helps us identify things we can be doing better," a Facebook spokesperson told iTnews.

"Since this research is aimed at helping Facebook understand how people use their mobile devices, we've provided extensive information about the type of data we collect and how they can participate.

"We don't share this information with others and people can stop participating at any time."

iTnews has sought comment from Apple.