Apple yoinks enterprise certs from Facebook, Google, killing internal apps, to show its power

Analysis After briefly punishing Facebook and Google for violating the rules of its enterprise developer program, Apple has relented. Cupertino is in the process of restoring the digital certificates used by Facebook and Google to sign and distribute in-house iOS apps internally to employees, after revoking them within the past 24 hours.

The iPhone maker invalidated Facebook's enterprise app certificate earlier this week after the ad biz admitted using using Apple's enterprise program to bypass the consumer app approval process of its public App Store, and distribute its data-harvesting Facebook Research app directly to teens and adults. The enterprise program allows companies to digitally sign their own custom iOS and macOS apps, and hand them to employees for internal use and development.

Had Facebook chosen to submit its "research" app for distribution to netizens through the iOS App Store, it's likely Apple's reviewers would have rejected it for violating privacy guidelines. Apple previously asked Facebook to remove its data collecting Onavo VPN app from the iOS App Store. Facebook Research is said to be essentially the same code under a different name. It logs pretty much everything you do online, passing it back to the antisocial media giant to analyze and mine, and rewards its surveillance guinea pigs $20 in vouchers a month for giving up their privacy. Facebook signed it using its enterprise cert to allow it to be installed on users' handhelds.

Shortly after excommunicating Facebook's internal iOS apps, by canceling the certificate, Apple did the same to Google, which confessed and apologized for using its iOS enterprise certificate to distribute its own data-snarfing app called Screenwise Meter.

The brief ban is said to have been disruptive for both Facebook and Google, disabling internal apps used by employees and preventing builds of internal apps that all relied on the now-revoked signing certificates.

Facebook now says all's well. "We have had our Enterprise Certification, which enables our internal employee applications, restored," a company spokesperson said in an email to The Register. "We are in the process of getting our internal apps up and running. To be clear, this didn’t have an impact on our consumer-facing services."

Apple is said to be in the process of doing the same for Google.

The Register asked Google for comment, and we've not heard back.

While Apple's action can be appreciated from a privacy and safety perspective, it also underscores the exceptional power the company holds over its hardware and software ecosystem.

Developers of iOS apps have no way to distribute unvetted apps apart from releasing app code as open source so other iOS developers can build and install such projects on their own gear. And Apple has made clear, enterprise distribution has limits.

Outside of Apple's TestFlight service for limited distribution of beta code, the one public distribution option available to iOS developers, the iOS App Store, requires Apple approval, which isn't necessarily reasonable.

The Android ecosystem is different. Users of Android devices can side-load apps from outside the Google Play Store or other Android like the Amazon App Store or GetJar. That presents more danger from malicious code but it also treats mobile users like adults capable of making their own decisions.

What's missing is a way to enforce clear communication about what apps actually do, like nutrition labels on food. Without that, it's difficult to make an informed choice about which apps to install on either platform. ®