Facebook's Project Atlas totally pwns its users

[DEyncourt]

"Facebook pays teens to install VPN that spies on them".

Sure, Facebook is paying their users $20 per month to install this VPN (plus referral fees to encourage others to install it), but according to one security expert:

If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.

You may recall that Facebook had its Onavo Protect app banned from Apple's App Store this past August and which was practically the same in effect, but Facebook has been separately offering this Project Atlas VPN through offers at Amazon since 2016, mostly to users in the age range of 13 to 35.

[DEyncourt]

"Apple blocks Facebook from running its internal iOS apps".

This is part of Apple's effort to stop Project Atlas from working. The way Facebook got employees and users to distribute that VPN was supposed to be only used internally for company apps. As a result even Facebook employees are finding that formerly working corporate apps are no longer working because Facebook's distribution certificate with Apple has been revoked (which has the effect of disabling all apps associated with it).

[Betonhaus]

"Apple blocks Facebook from running its internal iOS apps".

This is part of Apple's effort to stop Project Atlas from working. The way Facebook got employees and users to distribute that VPN was supposed to be only used internally for company apps. As a result even Facebook employees are finding that formerly working corporate apps are no longer working because Facebook's distribution certificate with Apple has been revoked (which has the effect of disabling all apps associated with it).

Good.

[DEyncourt]

"Google will stop peddling a data collector through Apple’s back door".

The company said in a statement to TechCrunch:

“The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.”

Do note that Google's Screenwise VPN is still available for Android.

Similar to Facebook's Project Atlas, since 2012 Screenwise promoted itself through gift cards offers to current users to encourage others to get the app, which apparently allows Google near-total access to all traffic running across a device. It has been since renamed "Google Opinion Rewards".

[DEyncourt]

"Apple blocks Google from running its internal iOS apps".

Just like with the case of Facebook, Google distribution certificate has been revoked which has disabled internal Google apps like their internal cafe app.

[Betonhaus]

"Apple blocks Google from running its internal iOS apps".

Just like with the case of Facebook, Google distribution certificate has been revoked which has disabled internal Google apps like their internal cafe app.

I'm surprised as Google quickly pulled their app specifically to avoid this. Hopefully they resolve this quickly as otherwise it might not be as wise of a move if Google has no choice but to pull their stuff out of the app store and strongarm their users to Android.

[DEyncourt]

Actually Google immediately pulling Streetwise had no effect on Apple's decision to cancel Google's distribution certificate (and thus disabling many Google's internal iOS versions of apps). Streetwise's very existence was a violation of the use of its distribution certificate which was to be used solely for apps internal to Google.

On the other hand Google is likely to use this problem to convince its iOS device users to switch to Android versions.

[TOS]

apple versus facebook starting to get personal

personally all the players are trying to make it about ethics and morality, but i think it's just about competition

amazon and google for instance can't get along, and it's easy to see why (data and advertising rivalry)

[DEyncourt]

On the other hand your article did mention:

The company issued no such comment in relation to Facebook, but Apple did restore the company's enterprise certifications early Thursday evening.

Presumably there is some agreement between Facebook and Apple that the former will not violate the internal use of its distribution certificate again, and Google will have to do the same.

[DEyncourt]

I suppose this was inevitable: software pirates are using various companies' distribution certificates to get around limitations Apple has placed on its App Store.

Exactly how some of these certificates became available to the pirates isn't clear, but at least one pirate was back in business with a different one within days after his previous one was blocked.

Some pirates are distributing cheaper or free versions of popular apps (offering users a VIP service for a yearly fee to get other apps), while others have been using the certificates to get around Apple's censorship of apps that feature porn or gambling.

How many people are using the pirated alternatives isn't known, but on Twitter the collective accounts of the pirates have over 600 K followers.

Apple confirmed a media report on Wednesday that it would require two-factor authentication - using a code sent to a phone as well as a password - to log into all developer accounts by the end of this month, which could help prevent certificate misuse.