27
votes
Facebook VPN, Onavo, is back on iOS—signed using Facebook's Enterprise Certificate to circumvent App Store review
@chronic:
disgraced Facebook VPN, Onavo, is back on iOS - signed using Facebook's Enterprise Certificate to circumvent App Store review! https://t.co/Ixa4tlNeGO
I think linking to the tweets might be underselling the story a bit, make sure you read the article on TechCrunch that he's linking to. The author of the tweets was the one that did the in-depth analysis of the app for the article, so the tweets are definitely relevant and add information, but "Onavo is back on iOS" is definitely not the main thing to be concerned about here.
This is completely insane—Facebook is abusing the Apple Developer Enterprise Program, which is explicitly only for companies to build internal apps for their employees to use, and using that to distribute an app that's specifically been banned from the app store. It also installs a new root certificate on the phone, which will allow Facebook to snoop on almost all network traffic on the phone. And they're paying people (including targeting teenagers) to install this, under the guise of a "social media research study". It's extremely unlikely that the people joining the study actually understand that they're basically giving Facebook full access to everything they do on their phone.
The biggest problem, I think, is that your general public isn't educated enough in either direction.
So they sign up for things like this, because "free" money, and then inevitably someone who does understand what's going on comes around and releases a report, or someone hacks the data, and there's a huge news cycle about just what was actually being collected.
So the american public looks to their representatives to do something about it. The problem is, they're far too ignorant of tech of understand what's going on, let alone catch these kinds of things before they happen.
But the representatives need to do something, and big tech companies both know and want to exploit this. So they lobby congress to pass legislation that benefits them and allows them to more secretly do behavior like this. They sneak in net neutrality because they know the congressmen can't see it. They sneak in back doors and laws that allow spying because they know the congressmen can't see it.
So in the end the consumer ends up getting fucked by their own congressmen's lack of education and understanding of tech.
The most frustrating part about all of this, is that it's easily fixed by hiring people who know what the hell is going on to work on writing legislation for congress. It would be cheap to fix. But congress doesn't want to give up the power, and why would they need more people when they have lobbyists? 😩
At the risk of sounding "hot takey", it's gonna be really depressing to see how little comes of this. Willfully abusing the enterprise program seems like grounds to remove Facebook's stuff from the App Store, but when push comes to shove I think it's Apple that needs Facebook, not the other way 'round. My assumption is that Apple does a "what they did is bad, very bad, and they have promised not to do it again, and this time they probably mean it" in the next few days. Unless they decide it's a good opportunity to make a big fuss and direct press attention away from the FaceTime bug, I guess.