Will Strafach @chronic building great things. breaking others. | founder and CEO @guardianiosapp - the first and only firewall for iOS | email: [email protected] Jan. 29, 2019 5 min read

disgraced Facebook VPN, Onavo, is back on iOS - signed using Facebook's Enterprise Certificate to circumvent App Store review!

Facebook Enterprise Certificate. here is all the info needed to revoke.

background information on misuse of Enterprise Certificates:  https://www.theiphonewiki.com/wiki/Misuse_of_enterprise_and_developer_certificates 

the "Facebook Research" app can be found here, accessible by anyone + signed with the Enterprise Certificate, an unauthenticated server owned by Facebook: r[.]facebook-program[.]com/ios/stable/manifest[.]plist (this will likely get yanked by FB very soon)

they didn't even bother to change the function names, the selector names, or even the "ONV" class prefix. it's literally all just Onavo code with a different UI.

the Root Certificate they have users install so that they can access any TLS-encrypted traffic they'd like.

this is the most defiant behavior I have EVER seen by an App Store developer. it's mind blowing. this is an amazing scoop by @JoshConstine - I still don't know how to best articulate how absolutely floored I am by Facebook thinking they can get away with this.

I can't imagine how this got cooked up.

"With all the negative press we've gotten this year and Onavo about to be removed from the App Store, we need some fresh new ideas! Let's hear them!"

"I know! What if, literally days after we were warned about Onavo, we just distribute it outside the App Store so Apple cannot review it?"

"What if we make it as close as we can to a rootkit!"

"What if we specifically ask teens to use it?"


if I was unclear, the app IPA is located here (probably not for long!). happy reversing!


also, the Facebook responses and pushback in @JoshConstine ‘s piece are some Grade A bullshit. I will break them down in a moment.

FB provides claims for what data they collect, and perhaps they are true.

however, they DO NOT inform users of the massive amount of access you hand them when hitting “Trust” on their Root Certificate. I do not think users can reasonably consent without this knowledge.

here, Facebook straight up lies to @JoshConstine about this. full stop. everyone with an Enterprise Certifucate knows that it is for internal-use apps to be used only by employees. Apple even calls you and confirms that you understand this, plus it is right in the agreement.

I have been through the process and it is entirely clear what the Enterprise Developer program is for. there is no ambiguity regarding how it can be used. Facebook straight up ignored the rules and misused the code signing certificate to distribute their now-banned Onavo app.

1. sure, the Android one was 2016 - but the iOS version being discussed appears to have started right when Apple warned Facebook that Onavo was breaking App Store rules.

2. how is this at all similar to a focus group? I don’t even know how to make a counterpoint against that.

this is obscenely disingenuous. the app is straight up Onavo code, with like, one single view changed and a different icon.

in fact, I would personally call it a lie to say it is a different program. appears to use all the same servers and everything too.

word is that Facebook is already drawing up + floating some talking point about all this.

I would personally not believe a word of it, unless it is a confession and apology for lying in their initial statement.

I worry that Facebook may try to take advantage of the fact that this situation deals with technical matter which they could try to cast doubt on.

I would advise folks to read everything TC quoted me on. I responded to them very precisely and meant every word of what I said.

here is the super weak talking point from Facebook.

setting aside every critical element that the response completely ignores, I’d like to point out that the 5% number is unlikely to be correct.

this may shock you, but kids lie about their age online.

aaaassaassnd it’s gone.

Apple has now revoked Facebook’s Enterprise Distribution Certificate. I am very glad to see swift action from Apple and confirmation that nobody is above the rules.

revocation of their Enterprise Certificate means the app is now inoperable.

also, because Facebook was arrogant enough to use their own certificate, any internal employee apps they have deployed will also be rendered inoperable.

they did this to themselves.

welcome to the real world.

Facebook is being treated precisely as any other company would in this situation. they are facing consequences for their actions, and boy do they not like it!

still wild how Facebook flat out lied to @JoshConstine and @zackwhittaker about this last night.

the only way they can “work with Apple” on this is to get their Enterprise Certificate back. maybe they can try and beg. I hope they don’t get it.

it is very encouraging to see some reflection and pushback by folks inside Facebook. again, they are directly facing consequences for Facebook’s actions. for the first time.

Google is correct, there does not appear to be any Root Certificate install for their app. pretty substantial difference. I also notice a phrase completely absent from Facebook’s replies: “We apologize”

sounds like Sheryl Sandberg is lying. there is no evidence in the documents and agreements they provide to people of any sort of “rigorous consent flow” or anything being made “very clear” to folks. this response is simply not credible at all.

from an instructional video for Project Atlas users. this is how they guide the user through trusting the Facebook Researxh Root Certificate. does this sound like a “rigorous consent flow” to anyone?

NOTE - this is a small portion of the video being played on a desktop and recorded from a smartphone, as a lazy way of protecting source by not sharing the original video file (watermarking concerns)

galaxy brain has logged on.

facebook CSO genuinely appears to believe that a Good Subtweet is a photo of the Analytics menu, in iOS privacy settings, the menu which allows you to turn off what you’re uncomfortable with as well as learn more about how analytics data is used.

more seriously, it is actually quite worrisome that a CSO believes the existence of an analytics menu is some kind of smart retort to criticism of a data collection program which had users install and trust a Root Certificate Authority (holy grail of network data access).

good thing to keep in mind. in all the deflection and lies we have seen so far in Facebook’s responses, they have yet to directly explain precisely what data they collected. or why exactly they had users install a Root Certificate Authority.

cool so why did people sign an NDA and why did some get threats or “reminders” for mentioning the project was Facebook-related? really makes you think.

*legal threats

You can follow @chronic.


Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.