Back in August, Apple asked Facebook to remove its Onavo VPN from the App Store, saying the app was in violation of its data collection policies. Now, TechCrunch reports that Facebook has sidestepped the App Store and has been paying teenagers and adults to install a “Facebook Research” VPN on their device.
Sylvania HomeKit Light Strip
According to the report, Facebook has been paying users between the ages of 13 and 35 up to $20 per month, plus referral fees, to install the Facebook Research app. The company has sidestepped the App Store completely in this process, administering it through beta testing services Applause, BetaBound, and uTest.
Essentially, once Onavo VPN was banned from the App Store last year, Facebook started referring to it as Project Atlas and running ads on Snapchat and Instagram. In those ads, Facebook is not mentioned at all.
The Applause ads don’t mention Facebook, and make the enticing pitch for a “paid social media research study.” The only mention of Facebook comes when users under the age of 18-years-old attempt to sign-up, as parents are required to fill out a consent form in this instance.
Meanwhile, BetaBound makes a similar pitch, saying that users will receive $20 per month to install an app and let it run in the background. Users are also promised an additional $20 for every friend they refer.
On its website, Applause outlines the data that is collected as part of this “research” study:
“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.”
TechCrunch puts it best when it says installing this VPN gives Facebook “limitless access to a user’s device.” In some instances, users are even required to go to their Amazon account and take a screenshot of their order history, then upload it to the Facebook Research website.
Facebook completely bypasses Apple’s own beta testing system TestFlight for this app. Instead, users must visit r.facebook-program.com, where they are instructed to install “an Enterprise Developer Certificate and VPN” and “trust Facebook with root access to their phone plus much of the data it transmits.”
This certificate is only supposed to be used by developers distributing internal corporate applications, with Facebook’s implementation seemingly a clear violation of that guideline.
TechCrunch says that Apple is “aware” of the issue, but it’s unclear if it might ban Facebook from using Enterprise Developer Certificates. For its part, Facebook oddly says that its usage does not violate Apple’s guidelines, but fails to offer any evidence to support that claim.
TechCrunch’s full investigation is worth a read and can be found here.
they didn't even bother to change the function names, the selector names, or even the "ONV" class prefix. it's literally all just Onavo code with a different UI. pic.twitter.com/ruqH69pUfq
— Will Strafach (@chronic) January 29, 2019
this is the most defiant behavior I have EVER seen by an App Store developer. it's mind blowing. this is an amazing scoop by @JoshConstine – I still don't know how to best articulate how absolutely floored I am by Facebook thinking they can get away with this.
— Will Strafach (@chronic) January 30, 2019