![](\"https:\/\/media.wired.com\/photos\/5c522412f254572cc21b8235\/master\/pass\/fbvpn-01%20(1).jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Louise Matsakis| Date: Thu, 31 Jan 2019 01:15:12 +0000<\/strong><\/p>\n For the past <\/span>three years, Facebook has paid consumers as young as 13 to download a \u201cFacebook Research\u201d application that gives the company wide-ranging access to their mobile devices, according to a TechCrunch<\/a> investigation published Tuesday. In order to allow people with iPhones to participate, Facebook sidestepped the strict privacy rules imposed by Apple in its App Store by taking advantage of a business applications program designed for internal company use. Apple soon announced it was revoking Facebook\u2019s access to its Developer Enterprise Program<\/a>, which also allowed the company to share custom iOS apps with its own employees. Apple\u2019s decision is reportedly wreaking havoc<\/a> at the social network, rendering workers unable to access the apps they use for their jobs.<\/p>\n As Facebook deals with the fallout<\/a> from yet another privacy scandal, it\u2019s worth unpacking how its Research app worked\u2014especially because it serves as a good reminder for other apps you might already be using, particularly virtual private networks<\/a>. It wasn\u2019t just Facebook: Google also disabled<\/a> a similar app on iOS devices on Wednesday. Both apps are still available on Android.<\/p>\n Facebook reportedly paid users between the ages of 13 and 35 $20 a month to download the app through beta-testing companies like Applause, BetaBound, and uTest. Participants found out about the opportunity via Snapchat and Instagram advertisements, according to TechCrunch. Minors were required to get consent from their parents. Once approved, participants downloaded the app via their browser\u2014not through the Google Play Store or the Apple App Store.<\/p>\n Apple typically doesn\u2019t allow<\/a> app developers to go around<\/a> the App Store, but its enterprise program is one exception. It\u2019s what allows companies to create custom apps not meant to be downloaded publicly, like an iPad app for signing guests into a corporate office. But Facebook used this program for a consumer research app, which Apple says violates its rules. \u201cFacebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple,\u201d a spokesperson said in a statement. \u201cAny developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.\u201d Facebook didn\u2019t respond to a request for comment.<\/p>\n Facebook needed to bypass Apple\u2019s usual policies because its Research app is particularly invasive. First, it requires users to install what is known as a \u201croot certificate<\/a>.\u201d This lets Facebook look at much of your browsing history and other network data, even if it\u2019s encrypted. The certificate is like a shape-shifting passport\u2014with it, Facebook can pretend to be almost anyone it wants. If you visit the website for a clothing retailer, for instance, Facebook can use the root certificate to pretend to be the store and see the pants you were looking to buy. \u201cYou allow Facebook to pretend to be anyone they want to be on the internet\u2014your device will trust the certificates they generate,\u201d says David Choffnes, a professor and mobile networking researcher at Northeastern University.<\/p>\n Facebook couldn't use its root certificate for every website or application, since some companies, like banks, protect hackers from using them for man-in-the-middle attacks using a technique called \u201ccertificate pinning<\/a>.\u201d The bank or other company essentially decides that it won\u2019t accept any certificate but its own\u2014it knows not to take phonies like Facebook\u2019s. \u201cThis attack doesn\u2019t work on everything, but there\u2019s still a large fraction of apps that are vulnerable because it\u2019s not a standard threat model,\u201d says Choffnes.<\/p>\n "You allow Facebook to pretend to be anyone they want to be on the internet\u2014your device will trust the certificates they generate."<\/p>\n David Choffnes, Northeastern University<\/p>\n Facebook\u2019s app also established an on-demand private network connection, meaning it routed all of the participants' traffic through its own servers before passing it along to its final destination. This is essentially what all VPNs do<\/a>\u2014they disguise traffic by rerouting it, allowing you to hide things like your location, perhaps to use Gmail in China or access streaming shows not available where you live. But VPNs typically can\u2019t see your encrypted traffic<\/a>, since they don\u2019t have the right certificate. They can still look at your unencrypted traffic, which can be an issue, but the vast majority of internet traffic today happens over encrypted HTTPS connections<\/a>. But with its root certificate installed, Facebook could<\/em> decrypt the browsing history or other network traffic of the people who downloaded Research, possibly even their encrypted messages.<\/p>\n To use a nondigital analogy, Facebook not only intercepted every letter participants sent and received, it also had the ability to open and read them. All for $20 a month!<\/p>\n Using its VPN connection and root certificate, Facebook had the ability to gather extensive data from participants, including their browsing history, what apps they used and for how long, as well as the messages they sent. Facebook also requested some people screenshot their Amazon orders page, according to TechCrunch, suggesting the social network may have had an interest in consumer purchasing habits. But unless Facebook discloses what it sought to learn from Research, there\u2019s no way to know exactly what the app might have been collecting.<\/p>\n \u201cCapability versus actual things they did is a much bigger question,\u201d says Mike Murray, the chief security officer of the mobile security firm Lookout. \u201cBecause that all happens on the backend, you can\u2019t really tell what they did.\u201d<\/p>\n In the past, Facebook has used a similar app to learn more about its rivals. In 2013, the social network acquired Onavo, an Israeli VPN maker, which it reportedly used to research<\/a> popular emerging apps in order to either copy or buy them. It used Onavo to look into WhatsApp<\/a>, for instance, which Facebook later acquired in 2014. Last year, Facebook began promoting<\/a> Onavo in its iOS app under the banner \u201cProtect,\u201d but it later pulled the app from the App Store after Apple said it violated its new data-sharing policies, according to The Wall Street Journal<\/em><\/a>.<\/p>\n Facebook isn\u2019t the only company hungry for data on what consumers are doing on their phones. Google used Apple\u2019s enterprise program to distribute an app called Screenwise Meter<\/a>, which also acts like a VPN. In exchange for letting the tech giant collect and analyze their network traffic, Google provides<\/a> participants with gift cards to various retailers. It\u2019s part of a wider Google consumer behavior program where participants can install tracking software on their router, laptop browser, and television. The difference is that the Google app doesn\u2019t require users to install a root certificate\u2014meaning they can\u2019t look at encrypted traffic. Still, Google wasn\u2019t complying with Apple\u2019s rules either, and it has now disabled the iOS version of Screenwise.<\/p>\n "The Screenwise Meter iOS app should not have operated under Apple\u2019s developer enterprise program\u2014this was a mistake, and we apologize,\u201d a Google spokesperson said in a statement. \u201cWe have disabled this app on iOS devices. This app is completely voluntary and always has been. We\u2019ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.\u201d<\/p>\n While Facebook\u2019s app is particularly invasive, a number of other companies also pay or reward users in exchange for information about what they do online, like the data giant Nielsen<\/a>. In every case, people voluntarily download these apps and programs, though they may not always understand the full extent of the access they are granting\u2014especially if they\u2019re not even 18.<\/p>\n Even if you don\u2019t plan to make money by selling your data, Facebook\u2019s latest privacy scandal is a good reminder to be wary of mobile apps that aren\u2019t available for download in official app stores<\/a>. It\u2019s easy to overlook how much of your information might be collected, or to accidentally install a malicious version<\/a> of Fortnite<\/em>, for instance. VPNs can be great privacy tools, but many free ones sell their users\u2019 data in order to make money. Before downloading anything, especially an app that promises to earn you some extra cash, it's always worth taking another look at the risks involved.<\/p>\n