Since 2016 Facebook has been paying users aged 13-35 up to $20 per month to install an app which has almost unlimited limitless access to their smartphones and most sensitive data.

Reporters at TechCrunch exposed the scheme which saw users install a “research” app capable of scoop up:

private chat messages, including photos and videos

emails

web-browsing activity

a list of which apps were installed on the device, and when they were last used

the user’s physical location history

data usage

According to the report, the app is similar to the Onavo Protect VPN app that Facebook was forced to withdraw from the iOS App Store after Apple determined that it was breaking its data-collection policies.

From the sound of things, Facebook is installing the offending app using the enterprise provisioning features that Apple provides for companies who wish to roll out their own enterprise certificate-signed versions of apps to employees, rather than the official iOS App Store.

They do this by asking users to install a root certificate which has almost unlimited access to the phone. The enterprise provisioning feature is intended for employees of a company, not 13-year-old users of a social media website. In short, Facebook has again breached Apple’s rules.

It seems to me that Apple would be well within its rights to revoke the certificates. Whether Apple will be prepared to take that ballsy step remains to be seen, but it would certainly see tensions between the two companies flare up.

Josh Constine at TechCrunch writes:

“The strategy shows how far Facebook is willing to go and how much it’s willing to pay to protect its dominance — even at the risk of breaking the rules of Apple’s iOS platform on which it depends. Apple could seek to block Facebook from continuing to distribute its Research app, or even revoke it permission to offer employee-only apps, and the situation could further chill relations between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices. Facebook disobeying iOS policies to slurp up more information could become a new talking point.”

Within hours of TechCrunch‘s report being published, Facebook moved from a position of defending its behaviour on the grounds that participants consented (it’s unclear how Facebook confirmed 13-year-olds received their parents’ permission) to announcing that they would be halting the research program on Apple devices.

According to a BBC News report, when it posed as a 14-year-old boy during its own test, it was able to download the app without any request for parental consent.

For now there is no indication that Facebook is planning to stop the “research” on Android phones.

I can’t imagine why anyone would trust Facebook with its personal profile information, let alone installing apps which can read their private chats and emails or track their web browsing.

If you feel the same, then why not join me by deleting your account? If you’re finding it hard to quit, why not listen to this “Smashing Security” podcast we put together describing the process:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.