Why did Apple revoke Facebook's enterprise distribution certificates?

From what we know, Apple has revoked Facebook’s enterprise distribution certificates for internal use iOS apps last Wednesday. 

The impact of Apple’s decision was significant: Facebook employees could not launch internal use apps anymore. This included calendaring, campus maps, and transportation apps for the Apple iPhone, as well as internal communication tools. Also, the internal beta testing process came to a halt, with Facebook employees no longer being able to launch yet unreleased versions of Facebook’s consumer apps like Facebook, Instagram or Messenger.

Why did Apple do this to Facebook? Tammy Levine, an Apple spokeswoman, has explained the move to The New York Times:

Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.
— Tammy Levine, an Apple spokeswomen to The New York Times

While most iOS apps are distributed through the Apple App Store, Apple allows distribution outside the Apple App Store through the Apple Developer Enterprise Program. Organizations which subscribe to this program can obtain distribution certificates from Apple to distribute internal use iOS apps to their own employees. The key phrase here is „to their own employees“…

The Apple Developer Enterprise Program lets you distribute your in-house apps to your own employees

The Apple Developer Enterprise Program lets you distribute your in-house apps to your own employees

What one of Facebook’s business units apparently did: they have used the certificates obtained via the Apple Developer Enterprise Program to distribute their app called the Facebook Research App to non-employees. A clear violation of the intended purpose of the program, as well as Facebook’s agreement with Apple as stated by Tammy Levine. 

The fact that the Facebook Research app was very aggressively collecting highly sensitive personal data was most certainly not helping the case. Based on technology from Onavo, a company Facebook had acquired in October 2013, the app’s purpose was apparently to decrypt and log the Internet traffic of its users, so Facebook could analyze those users’ behavior. To be fair, Facebook had been open about this and was actually paying 20 USD per month to volunteers between the ages 13 and 35 willing to become Facebook’s research subjects.

What happened next was that Facebook announced that the Facebook Research app will no longer be available to Apple iPhone users (the program continues for Android users), and seems to have been able to request new enterprise distribution certificates on Thursday.

The Schindler Group uses incapptic Connect to retain full control of their enterprise distribution certificates.

Case closed? Well almost. A lot of organizations like our customers CLAAS or Schindler are in the process of leveraging internal use iOS apps to digitize their business processes. At some point, they might have been wondering if these are exposing themselves to a risk of a serious business process disruption due to Apple deciding to revoke their certificates for some odd reason.

While last week has shown that this risk is real, Apple’s decision was far from arbitrary and quite easily avoidable.

Organizations leveraging the Apple platforms to advance their processes should understand the rules, carefully monitor their internal use iOS app portfolio across all business units, and control access to the enterprise distribution certificates. This has been true since the dawn of the Apple Developer Enterprise Program and was actually one of the driving forces which led to the inception of the very first release of incapptic Connect.

But this is a different story for another time…