One day after Facebook had its enterprise developer certificates revoked by Apple, Google ran into similar troubles with the iOS and App Store owner.
It turned out that Facebook was not the only naughty player attempting to circumvent Apple’s rules to forbid apps developed under enterprise certificates to be distributed outside of the company. Google was found to have distributed a data monitoring and survey app called Screenwise Meter. The app comes with Apple’s enterprise developer certificate granted to Google and has been distributed to a “panel” selected and maintained in partnership with the research firm GfK. The panel may include users as young as 13, or with the parents’ consent, those under 13 though the data monitoring method will be modified.
It is not clear if it was a reaction to the revocation of Facebook’s certificates, but Google stopped the distribution of Screenwise Meter before Apple acted. “The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize,” Google said in a statement on Wednesday. “We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in the app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.”
However, Google’s developer certificates were still made invalid by Apple on Thursday, reported first by The Verge. This resulted in Google’s pre-release beta apps as well as employee-only apps, for example those for using Google’s shuttle bus or coffee shops, stopping working. (One cannot help but wondering how many employees in Google, which controls Android and releases its own Pixel smartphones, are using iPhone as their primary devices.) The tone from Apple, however, was much reconciliatory. “We are working together with Google to help them reinstate their enterprise certificates very quickly,” said the statement from Apple to BuzzFeed.
In comparison, Apple was much sterner when pulling the plug on Facebook. “We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple.”
To look at the two cases together, there are two types of issues Apple needs to deal with. To borrow the economics jargons, one is normative, i.e. based on principles, another is positive, i.e. based on facts. On the normative side, Apple should clarify whether Facebook and Google were punished for launching apps gathering users’ private data or for distributing the apps under the wrong type of certificates and through unofficial channels, i.e. not using the App Store.
Although most media coverage was focused on the Facebook app gathering user data, it looks that Apple was more annoyed by the fact that Facebook (and Google) has abused its enterprise developer certificates. It said in the statement related to Facebook: “Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case (of Facebook) to protect our users and their data.”
However, what drove Facebook to distribute “Facebook Research”, the app in question through unorthodox channels, looks to be that Apple has banned apps to gather user data as detailed as app history, private messages, and location, from being listed in the App Store. In its “App Store Review Guidelines”, Apple stated “5.1.1 Data Collection and Storage: (iii) Data Minimization: Apps should only request access to data relevant to the core functionality of the app and should only collect and use data that is required to accomplish the relevant task. Where possible, use the out-of-process picker or a share sheet rather than requesting full access to protected resources like Photos or Contacts.”
The rule above would be caught in a paradox in cases where the “core functionality” of an app is to gather detailed user data and is explicit with it. That was the case with “Facebook Research”. Facebook said in its statement: “Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”
As an aside, despite the repeated furore towards Facebook recently, neither users nor advertisers seem to be deterred. The Q4 results recently published showed that in Europe, where GDPR went into effect mid-2018, Facebook’s monthly active users went up from 375 million in Q3 to 381 million, and the average revenue per user in Europe jumped from $8.82 in Q3 up to $10.98.
If Apple was unhappy with companies distributing apps developed under enterprise certificates to users outside of the enterprises, there would come the positive side of the issues, i.e. related how Apple implements the rule. Whether Apple was punishing Facebook and Google as a deterrent to other companies that have or might have distributed apps externally using enterprise certificates, or it will go after all offenders, remains to be seen.
If it was the former tactic, an old Chinese saying that goes “Kill the chicken to scare the monkey” would summarise it well, though the two chickens Apple has put the knife in are much fatter than most monkeys. On the other hand, if Apple were true to its word that it would act on “any developer using their enterprise certificates to distribute apps to consumers”, it may find a long line of chickens (or monkeys) standing in the line. Alex Fajkowski, a Twitter user and iOS app developer, suggested that both Amazon and DoorDash were distributing apps to recruit temporary deliverers. Then a longer list of companies suspected of doing the same thing was drawn up, including companies like Square and Sonos (though Sonos looks to have removed the page recently).
Looking at it either way, it is clear that Apple is tightening the control over its already tightly controlled ecosystem. With Services becoming increasingly important, Apple would not want to see any loss of revenues from iOS apps distributed outside of App Store, nor would it want to be seen complacent or even complicit in any comprise of users’ privacy. Or, standing up to the internet giants which have been on the receiving end of much anger, could score a PR victory for Apple.
Both Facebook and Google had their enterprise certificates restored by Thursday evening.