Best Top Reviews Online

Why Was Facebook’s Banned ‘Research’ App So Pervasive?

Facebook paid iOS users $20 per month until Apple revoked its privileges on Wednesday to download and install the data-sucking application.

ACCORDING TO AN INVESTIGATION PUBLISHED TUESDAY BY TECHCRUNCH, Facebook has paid users as young as 13 to download a “Facebook Research” application that grants the company broad access to their mobile devices. Facebook circumvented the strict privacy rules imposed by Apple in its App Store to allow iPhone users to participate by utilizing a business applications program designed for internal company use. Apple soon announced that it was revoking Facebook’s access to its Developer Enterprise Program, which allowed Facebook to share iOS apps with its employees. According to reports, Apple’s decision is wreaking havoc on the social network, preventing employees from accessing work-related apps.

As Facebook deals with the aftermath of yet another privacy scandal, it is worthwhile to dissect how its Research app functioned, particularly because it serves as a useful reminder for other apps you may already be using, such as virtual private networks. Not only Facebook, but Google also disabled a similar iOS app on Wednesday. Both applications remain accessible on Android.

Facebook reportedly paid users between the ages of 13 and 35 $20 per month through beta-testing companies such as Applause, BetaBound, and uTest to download the application. According to TechCrunch, participants learned about the opportunity through Snapchat and Instagram advertisements. Minors were required to obtain parental consent. Once approved, participants downloaded the application through their web browser rather than the Google Play Store or the Apple App Store.

Apple does not typically permit app developers to circumvent the App Store; however, its enterprise program is an exception. It enables businesses to create apps that are not intended for public downloads, such as an iPad app for signing guests into a corporate office. Apple claims that Facebook’s use of this program for a consumer research app violates its rules. Facebook has been using its membership to distribute a data-collecting app to consumers, which is a clear violation of its agreement with Apple, according to a statement from a Facebook spokesperson. “Any developer who distributes apps to consumers using their enterprise certificates will have their certificates revoked, as we did in this instance to protect our users’ data.” Facebook did not respond to a comment request.

Facebook had to circumvent Apple’s standard policies because its Research app is especially intrusive. First, it necessitates that users install a “root certificate.” This enables Facebook to access a significant portion of your encrypted browsing history and other network data. The certificate is analogous to a shape-shifting passport; with it, Facebook can impersonate virtually anyone. If you visit the website of a clothing retailer, for example, Facebook can use the root certificate to impersonate the store and view the pants you are interested in purchasing. David Choffnes, a professor and mobile networking researcher at Northeastern University, explains, “You allow Facebook to pretend to be anyone they want on the internet; your device will trust the certificates they generate.”

Facebook could not use its root certificate for every website or application because some companies, such as banks, use a technique called “certificate pinning” to prevent hackers from using them for man-in-the-middle attacks. The bank or other organization essentially decides that it will only accept its certificates; it is aware not to accept forgeries such as Facebook’s. “This attack doesn’t work on everything, but a significant portion of apps are still vulnerable because it’s not a standard threat model,” Choffnes explains.

“You permit Facebook to impersonate anyone on the internet; your device will trust the certificates they generate.” – DAVID CHOFFNES, NORTHEASTERN UNIVERSITY

In addition to establishing an on-demand private network connection, the Facebook app routed all participant traffic through its servers before forwarding it to its final destination. This is essentially what all VPNs do; they disguise traffic by rerouting it, allowing you to conceal information such as your location, for example, so you can access Gmail in China or watch streaming content that is not available in your country. However, VPNs cannot typically view your encrypted traffic because they lack the appropriate certificate. They can still view your unencrypted traffic, which can be a problem, but the vast majority of internet traffic today occurs over HTTPS connections, which are encrypted. However, with its root certificate installed, Facebook would be able to decrypt the browsing history or other network traffic of users who downloaded Research, including possibly their encrypted messages.

Facebook, to use a non-digital analogy, not only intercepted every letter participants sent and received, but it also could read them. Everything is for $20 per month!

Using its VPN connection and root certificate, Facebook was able to collect extensive participant data, including their browsing history, apps used and for how long, and messages sent. According to TechCrunch, Facebook also requested that some users take screenshots of their Amazon order page, indicating that the social network may have been interested in consumer purchasing habits. But unless Facebook discloses what it hoped to learn from Research, it is impossible to determine precisely what the app was collecting.

Mike Murray, the chief security officer of the mobile security company Lookout, asserts, “Capability versus actual actions is a much larger question.” Because everything occurs in the background, it is difficult to determine what they did.

In the past, Facebook has utilized a comparable app to gather intelligence on its competitors. In 2013, the social network acquired Onavo, an Israeli VPN manufacturer, which it reportedly used to research popular emerging apps to copy or acquire them. It utilized Onavo to investigate WhatsApp, which Facebook later acquired in 2014. According to The Wall Street Journal, Facebook began promoting Onavo in its iOS app under the banner “Protect” last year, but later removed the app from the App Store after Apple claimed it violated its new data-sharing policies.

Facebook is not the only company hungry for information about what consumers do on their mobile devices. Google utilized Apple’s enterprise program to distribute the Screenwise Meter application, which also functions as a VPN. In exchange for allowing Google to collect and analyze its network traffic, participants receive gift cards from a variety of retailers. Participants can install tracking software on their router, laptop web browser, and television as part of a broader Google consumer behavior program. The Google app does not require users to install a root certificate, meaning that they cannot view encrypted traffic. Google was also not complying with Apple’s rules, so the iOS version of Screenwise has been disabled.

This was an error, and we apologize,” a Google spokesperson said in a statement. “This application has been disabled on iOS devices. This application has always been completely voluntary. We’ve been transparent with users about how we use their data in this app, we have no access to encrypted data in apps and on devices, and users may opt-out at any time.”

While Facebook’s app is particularly intrusive, other companies, such as the data giant Nielsen, also pay or reward users in exchange for information about what they do online. People always download these apps and programs voluntarily, though they may not always comprehend the full extent of the access they are granting, especially if they are under the age of 18.

Even if you have no intention of profiting from the sale of your data, Facebook’s most recent privacy scandal should serve as a reminder to be wary of mobile apps that are not available for download in official app stores. It is simple to overlook the amount of information that may be collected or to install a malicious version of Fortnite, for example. VPNs can be effective privacy tools, but many free VPNs sell user information to generate revenue. Before downloading anything, especially an app that promises to earn you extra money, it is always prudent to reevaluate the associated risks.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of