,
32 tweets,
10 min read
Read on Twitter
disgraced Facebook VPN, Onavo, is back on iOS - signed using Facebook's Enterprise Certificate to circumvent App Store review!
Facebook Enterprise Certificate. here is all the info needed to revoke. 
background information on misuse of Enterprise Certificates: theiphonewiki.com/wiki/Misuse_of…
the "Facebook Research" app can be found here, accessible by anyone + signed with the Enterprise Certificate, an unauthenticated server owned by Facebook: r[.]facebook-program[.]com/ios/stable/manifest[.]plist (this will likely get yanked by FB very soon)
they didn't even bother to change the function names, the selector names, or even the "ONV" class prefix. it's literally all just Onavo code with a different UI.
the Root Certificate they have users install so that they can access any TLS-encrypted traffic they'd like.
this is the most defiant behavior I have EVER seen by an App Store developer. it's mind blowing. this is an amazing scoop by @JoshConstine - I still don't know how to best articulate how absolutely floored I am by Facebook thinking they can get away with this.
I can't imagine how this got cooked up.
"With all the negative press we've gotten this year and Onavo about to be removed from the App Store, we need some fresh new ideas! Let's hear them!"
"With all the negative press we've gotten this year and Onavo about to be removed from the App Store, we need some fresh new ideas! Let's hear them!"
"I know! What if, literally days after we were warned about Onavo, we just distribute it outside the App Store so Apple cannot review it?"
"What if we make it as close as we can to a rootkit!"
"What if we specifically ask teens to use it?"
"GREAT! LET'S DO ALL OF THAT!"
"What if we make it as close as we can to a rootkit!"
"What if we specifically ask teens to use it?"
"GREAT! LET'S DO ALL OF THAT!"
if I was unclear, the app IPA is located here (probably not for long!). happy reversing!
r.facebook-program.com/ios/stable/pac…
r.facebook-program.com/ios/stable/pac…
also, the Facebook responses and pushback in @JoshConstine ‘s piece are some Grade A bullshit. I will break them down in a moment.
FB provides claims for what data they collect, and perhaps they are true.
however, they DO NOT inform users of the massive amount of access you hand them when hitting “Trust” on their Root Certificate. I do not think users can reasonably consent without this knowledge.
however, they DO NOT inform users of the massive amount of access you hand them when hitting “Trust” on their Root Certificate. I do not think users can reasonably consent without this knowledge.
here, Facebook straight up lies to @JoshConstine about this. full stop. everyone with an Enterprise Certifucate knows that it is for internal-use apps to be used only by employees. Apple even calls you and confirms that you understand this, plus it is right in the agreement.
I have been through the process and it is entirely clear what the Enterprise Developer program is for. there is no ambiguity regarding how it can be used. Facebook straight up ignored the rules and misused the code signing certificate to distribute their now-banned Onavo app.
1. sure, the Android one was 2016 - but the iOS version being discussed appears to have started right when Apple warned Facebook that Onavo was breaking App Store rules.
2. how is this at all similar to a focus group? I don’t even know how to make a counterpoint against that.
2. how is this at all similar to a focus group? I don’t even know how to make a counterpoint against that.
this is obscenely disingenuous. the app is straight up Onavo code, with like, one single view changed and a different icon.
in fact, I would personally call it a lie to say it is a different program. appears to use all the same servers and everything too.
in fact, I would personally call it a lie to say it is a different program. appears to use all the same servers and everything too.
word is that Facebook is already drawing up + floating some talking point about all this.
I would personally not believe a word of it, unless it is a confession and apology for lying in their initial statement.
I would personally not believe a word of it, unless it is a confession and apology for lying in their initial statement.
I worry that Facebook may try to take advantage of the fact that this situation deals with technical matter which they could try to cast doubt on.
I would advise folks to read everything TC quoted me on. I responded to them very precisely and meant every word of what I said.
I would advise folks to read everything TC quoted me on. I responded to them very precisely and meant every word of what I said.
here is the super weak talking point from Facebook.
setting aside every critical element that the response completely ignores, I’d like to point out that the 5% number is unlikely to be correct.
this may shock you, but kids lie about their age online.
setting aside every critical element that the response completely ignores, I’d like to point out that the 5% number is unlikely to be correct.
this may shock you, but kids lie about their age online.
aaaassaassnd it’s gone.
Apple has now revoked Facebook’s Enterprise Distribution Certificate. I am very glad to see swift action from Apple and confirmation that nobody is above the rules.
revocation of their Enterprise Certificate means the app is now inoperable.
also, because Facebook was arrogant enough to use their own certificate, any internal employee apps they have deployed will also be rendered inoperable.
also, because Facebook was arrogant enough to use their own certificate, any internal employee apps they have deployed will also be rendered inoperable.
they did this to themselves.
welcome to the real world.
Facebook is being treated precisely as any other company would in this situation. they are facing consequences for their actions, and boy do they not like it!
the only way they can “work with Apple” on this is to get their Enterprise Certificate back. maybe they can try and beg. I hope they don’t get it.
it is very encouraging to see some reflection and pushback by folks inside Facebook. again, they are directly facing consequences for Facebook’s actions. for the first time.
Google is correct, there does not appear to be any Root Certificate install for their app. pretty substantial difference. I also notice a phrase completely absent from Facebook’s replies: “We apologize”
sounds like Sheryl Sandberg is lying. there is no evidence in the documents and agreements they provide to people of any sort of “rigorous consent flow” or anything being made “very clear” to folks. this response is simply not credible at all.
from an instructional video for Project Atlas users. this is how they guide the user through trusting the Facebook Researxh Root Certificate. does this sound like a “rigorous consent flow” to anyone?
can’t believe I missed this earlier. Onavo has now been shut down entirely.
nice work Facebook what a great use of $100,000,000.
onavo.com
nice work Facebook what a great use of $100,000,000.
onavo.com
