Facebook used Research VPN app to bypass Apple’s privacy policies
News / Facebook used highly-invasive Research VPN app to bypass Apple’s privacy policies
31 January 2019
Facebook paid an unknown number of Internet users aged between 13-35 years up to $20 (£15.25) in exchange of them downloading a secret Research VPN app that gave Facebook unrestricted access to users’ private messages, chats from instant messaging apps, photos, videos, emails, and web browsing activity.
Facebook also asked Internet users to download the Research VPN app from outside the iOS App Store, thereby bypassing Apple’s policies that prohibited apps from collecting data about usage of other apps on users’ devices. The use of the Research VPN app continued even after Apple banned Facebook’s Onavo Protect app from its App Store for violating its privacy policies.
An investigative report from Tech Crunch revealed that Facebook distributed the Research VPN app from 2016 through three beta testing services, namely BetaBound, uTest, and Applause. The three services contacted Internet users and asked them to participate in a “paid social media research study”.
While signing up for the study, users were asked to download the Research VPN app on their devices and to provide their consent so that the app could collect their personal data to learn more about their usage habits.
“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps.
“You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions,” read the consent form.
Those signing up for the study were offered $20 (£15.25) per month via e-gift cards as well as $20 for every referral. Even though the beta testing services did not mention Facebook’s involvement during the sign-up process, instruction manuals for installing the Research VPN app mentioned the company’s name.
Facebook worked with the three external beta testing services even though Apple does have its own official beta testing service which reviews apps and limits the number of participants to 10,000. The use of external beta testing services also allowed Facebook to offer the Research VPN app from an external source (r.facebook-program.com) as well as to obtain root access to data transmitted from iPhones.
According to Will Strafach, a security expert at Guardian Mobile Firewall who was commissioned by Tech Crunch to investigate the Research VPN app’s functions, even though Apple had banned the Onavo Protect app for collecting data about usage of other apps, the Research VPN app continued to route user data from iPhones to a link that was associated with Onavo’s IP address, thereby explaining how Facebook used a new trick to bypass and violate Apple’s rigorous privacy policies.
“The code in this iOS app strongly indicates that it is simply a poorly re-branded build of the banned Onavo app, now using an Enterprise Certificate owned by Facebook in direct violation of Apple’s rules, allowing Facebook to distribute this app without Apple review to as many users as they want. This is an egregious violation on many fronts, and I hope that Apple will act expeditiously in revoking the signing certificate to render the app inoperable,” he told Tech Crunch.
“I have never seen such open and flagrant defiance of Apple’s rules by an App Store developer,” he added.
Responding to Tech Crunch’s findings, Facebook said that it is shutting down the Research VPN app for iOS with immediate effect but its VPN app for Android will continue to function. The company also said that there was nothing hidden about the project as people went through a clear on-boarding process and gave permissions for all the data the app collected.
“Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms,” the company said.
Facebook also claimed that it did not violate Apple’s Enterprise Certificate policy, even though facts make it clear that the Research VPN app was being used for the same purpose for which the Onavo protect app was kicked out by Apple from its App Store. The signing up of minors for the invasive research project by offering them a quick way of making money may also put Facebook in a tough spot if an official investigation does take place.