Why did Apple revoke Facebook's enterprise distribution certificates?

From what we know, Apple has revoked Facebook’s enterprise distribution certificates for internal use iOS apps last Wednesday. 

The impact of Apple’s decision was significant: Facebook employees could not launch internal use apps anymore. This included calendaring, campus maps, and transportation apps for the Apple iPhone, as well as internal communication tools. Also, the internal beta testing process came to a halt, with Facebook employees no longer being able to launch yet unreleased versions of Facebook’s consumer apps like Facebook, Instagram or Messenger.

Why did Apple do this to Facebook? Tammy Levine, an Apple spokeswoman, has explained the move to The New York Times:

Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.
— Tammy Levine, an Apple spokeswomen to The New York Times

While most iOS apps are distributed through the Apple App Store, Apple allows distribution outside the Apple App Store through the Apple Developer Enterprise Program. Organizations which subscribe to this program can obtain distribution certificates from Apple to distribute internal use iOS apps to their own employees. The key phrase here is „to their own employees“…

The Apple Developer Enterprise Program lets you distribute your in-house apps to your own employees

The Apple Developer Enterprise Program lets you distribute your in-house apps to your own employees

What one of Facebook’s business units apparently did: they have used the certificates obtained via the Apple Developer Enterprise Program to distribute their app called the Facebook Research App to non-employees. A clear violation of the intended purpose of the program, as well as Facebook’s agreement with Apple as stated by Tammy Levine. 

The fact that the Facebook Research app was very aggressively collecting highly sensitive personal data was most certainly not helping the case. Based on technology from Onavo, a company Facebook had acquired in October 2013, the app’s purpose was apparently to decrypt and log the Internet traffic of its users, so Facebook could analyze those users’ behavior. To be fair, Facebook had been open about this and was actually paying 20 USD per month to volunteers between the ages 13 and 35 willing to become Facebook’s research subjects.

What happened next was that Facebook announced that the Facebook Research app will no longer be available to Apple iPhone users (the program continues for Android users), and seems to have been able to request new enterprise distribution certificates on Thursday.

The Schindler Group uses incapptic Connect to retain full control of their enterprise distribution certificates.

Case closed? Well almost. A lot of organizations like our customers CLAAS or Schindler are in the process of leveraging internal use iOS apps to digitize their business processes. At some point, they might have been wondering if these are exposing themselves to a risk of a serious business process disruption due to Apple deciding to revoke their certificates for some odd reason.

While last week has shown that this risk is real, Apple’s decision was far from arbitrary and quite easily avoidable.

Organizations leveraging the Apple platforms to advance their processes should understand the rules, carefully monitor their internal use iOS app portfolio across all business units, and control access to the enterprise distribution certificates. This has been true since the dawn of the Apple Developer Enterprise Program and was actually one of the driving forces which led to the inception of the very first release of incapptic Connect.

But this is a different story for another time…

Nomasis und incapptic Connect vereinbaren strategische Partnerschaft

Ausbau des Angebots um Lösung für vereinfachtes App Release Management

Nomasis, Anbieter von sicheren Lösungen und Services für den geschäftlichen Einsatz von Smartphones und Tablets, und das Berliner Software-Haus Incapptic Connect gehen eine strategische Vertriebspartnerschaft ein. Dabei wird Nomasis als dedizierter Vertriebspartner und in enger Zusammenarbeit mit Incapptic Connect den Schweizer Markt für die gleichnamige Lösung für vereinfachtes App Release Management auf- und ausbauen. Incapptic Connect als Pionier bei der Optimierung von App Release Management und App Signing ermöglicht Unternehmen nicht nur massive zeitliche Einsparungen bei der Veröffentlichung von neuen Versionen firmeneigener Apps. Die Software erlaubt es insbesondere, viel häufiger als bisher Bugfixes und neue App- Funktionalitäten bereitzustellen“, sagt Philipp Klomp, CEO von Nomasis.

Für Dr. Rafael Kobylinski, CEO von Incapptic Connect, bedeutet die Partnerschaft einen wichtigen Meilenstein in der strategischen Entwicklung seines Unternehmens: „Wir sehen in der Schweiz mit ihren vielen grossen, international tätigen Unternehmen ein enormes Marktpotenzial, sind doch gerade auch viele Schweizer Unternehmen in Sachen firmeneigener und geschäftskritischer Apps sehr innovativ.“ Mit Incapptic Connect könnten Nomasis-Kunden den heute von den meisten Unternehmen noch händisch ausgeführten App-Signing-Prozess automatisieren, Medienbrüche vermeiden und den Ablauf massiv beschleunigen. „Nomasis als Spezialist für Mobile Application Management ist deshalb für uns der richtige Partner mit der entsprechenden Erfahrung und Glaubwürdigkeit für die Bearbeitung des Schweizer Marktes.“

 

incapptic Connect

Fehleranfällige Handarbeit und frustrierende Kommunikationsschleifen – bisher brauchen grosse Unternehmen mehrere Tage, um eine neue App-Version zu veröffentlichen. Mit Incapptic Connect kann das in Sekunden gehen: Die Software vereinfacht den Datenaustausch mit externen Entwicklern, signiert automatisch mit dem digitalen Unternehmensschüssel und ist kompatibel mit den gängigen App-Verteilsystemen wie etwas MobileIron, Apple App Store und Google Play. Mit der Lösung werden Grossunternehmen so schnell wie Startups beim Veröffentlichen neuer App-Versionen.

 

Über Nomasis AG
Medien- und Öffentlichkeitsarbeit:

Häfliger Media Consulting – Markus Häfliger Hirslanderstrasse 51 – 8032 Zürich
Tel.: +41 44 422 66 00 haefliger@haefligermediaconsulting.com www.haefligermediaconsulting.com
Als Pionier und Marktführer in der Umsetzung von mobilen IT-Infrastrukturen betreut Nomasis über 200 aktive Kunden aus der Finanzbranche, den öffentlichen Diensten, Regierung und Bildung. Seit der Firmengründung im Jahre 2004, hat sich das Unternehmen konsequent auf die Informationssicherheit vom mobilen Mitarbeiter spezialisiert und bringt geschäftsrelevante Daten sicher und einfach auf mobile Geräte wie Smartphones, Tablets und Laptops.

incapptic Connect @ IDC Enterprise Mobility Conference 2017

incapptic Connect will attend the IDC Enterprise Mobility Conference on June 22, 2017 in Frankfurt!

IDC Enterprise Mobility Conference 2017 will teach you how to use the appropriate mobility strategy to decisively influence the success of your company. Look forward to a directional conference with exciting lectures, interactive workshops, stimulating discussions and the opportunity to expand your own network. Incapptic Connect is happy to attend this conference as a partner!

The following topics are planned (subject to change):

Enterprise Mobility as a key factor in digital transformation
Mobility permeates the specialist areas: new use cases beyond the office IT
Wearables, Augmented and Virtual Reality as innovation drivers: Use Cases for Companies
Rapid Mobile App Development: Threat or Opportunity?
Implications of the EU General Data Protection Regulation (GDPR)
How do companies find the right balance between productivity and security?
Security with and in the cloud, but how?
From Mobile Laissez Faire to Mobile Security First
BYOD, CYOD and their influence on business processes
From Enterprise Mobility Management to Unified Workspace Management to IoT?

 

Don't miss the chance to meet our team!

Want to know more about App Release Management and Deployment Automation?
Dr. Thiemo Scherle, our Chief Customer Officer, and Marita Fabeck, Customer Development Executive, will be happy to get in touch. Come visit them at incapptic Connect's booth, or send them a message to meet during the event. 

 

Attend incapptic Connect´s Presentation: "Case Study on Automatic App Release Management"

From 16:00 to 16:30, Dr. Thiemo Scherle will take the stage, don't miss it!

 

 

Location

Hotel Hilton Frankfurt City Centre
Hochstraße 4
Frankfurt am Main, 60313

 

incapptic Connect @ MobileIron Live! 2017

incapptic Connect is proud to be part of the upcoming MobileIron Live! on June 1 - 2, 2017 in Berlin!

MobileIron Live! is the premier event for immersive learning about enterprise mobility and security. Get hands-on technical training and learn how to achieve business results from real IT pros. Leave a better mobile IT professional.

 

Don't miss the chance to meet our team!

Want to know more about App Release Management and Deployment Automation?
Dr. Rafael Kobylinski and Dr. Thiemo Scherle, our Founder / CEO and our Chief Customer Officer, will be happy to get in touch. Send them a Twitter message to meet them during the event:

@rkobylinski
@timscher

 

Attend incapptic Connect's Roundtable: Best Practices for Publishing and Updating In-house Apps

On Thursday, June 1, 2017, afternoon, we will host a roundtable. In this session, we will discuss the best practices needed to securely transfer app binaries, screenshots, and meta-data across organizational boundaries, such as development and IT operations. We will also explain how to re-sign externally developed apps with Apple-issued digital identities or Android Keystores, as well as upload in-house apps to MobileIron Apps@Work. You will also learn how self-service and automation can save countless admin hours and reduce lead times from development to availability in Apps@Work.

Location

Motorwerk
An der Industriebahn 12
13088 Berlin