portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

On Apple revoking certificates – I would have hoped for more

posted on Tuesday 5th of February 2019 in ,

Apple was on a roll last week. They first revoked Facebooks enterprise developer certificate used to provision applications outside of the AppStore within a company and a day later Googles. This obviously caused some discussions around the applications mentioned in the article, the walled garden Apple built and our all time favourite – who owns the devices we are using.

Both, Facebook and Google, basically shipped an app we would regularly call spyware. Those applications would have never made it – or only would have by mistake – through the AppStore review process. Especially considering Apples stance on privacy and Zuckerbergs displeasure with it.

Who controls the device you pay for and you own? This is a discussion as old as the AppStore, but what happened here is Facebook paying 13 year olds $20 for get an insight into their lives Facebook and no other company should ever have. End of discussion. Thanks to Apples control over the ecosystem they were able to shut this down. While we can make very good points for freedom of choice vs a walled garden, having someone being able to shut an application like this down was a very good thing. This time.

Based on the reports I have seen the reason for the revocation was a violation of the enterprise developer agreement. We might be able to speculate if this truly was the driving factor or if other factors lead to the decision as well, but we have to stick to the official statements and reasoning we have seen.

I would have hoped for more. Especially considering Apple is strongly advertising privacy on their platforms and using it as one of the reasons why they want to retain such tight control over iOS and the applications you can install. This was a unique chance to make a very strong statement.

They have chosen the easy way out claiming a breach of ToS and decided to not take a strong, public stance against Facebooks and Googles “business practices”. From a legal perspective this might make a lot of sense. It is likely the easiest, provable violation of the enterprise developer agreement and with my limited understanding of (international) law I assume it would be hard to impossible to define privacy violations in a legally binding document, especially when you factor in potential “consent”.

A company like Apple that focuses so much on privacy could have made a very strong statement. “Not on our platform – our users privacy is a top priority!” Facebook reached peak impudence paying 13 year olds to give them full access to their lives. We cannot tip toe around this anymore and revoke a certificate based on a ToS violation. We need a loud and clear voice telling companies like Facebook “no, you will not get away with something like this”. And Apple is in a unique position to be one of this voices, one of the loudest possible. But they decided to play it safe, which is very disappointing.