How Apple DESTROYED Facebook’s Spyware

Facebook was interested in licensing the Pegasus malware to spy on their own iOS users. John Gruber reminded me about this on Daring Fireball, but let it sink in for a moment. Bad enough it’s less Big Tech and more Big Social Tobacco, but does it really have to be so damn Big Social Brother about it so always? Just wait until you hear the story, because it’s a slobberknocker, and then you tell me!

Pegasus Spyware, which was splattered Watchman-smiley-face-bloodstain-style all over the news cycle a couple of weeks ago, is what the NSO Group licenses out to nation states and agencies to infect iPhones and Android phones for the purposes of intelligence and counter-intelligence gathering, including, according to the recent accusations, authoritarian regimes who use it on journalists, dissidents, opposition parties, even other governments.

In a declaration from the NSO Group’s CEO, he said two Facebook representatives approached them back in October 2017 and asked to purchase the right to use certain capabilities of ther military-grade Pegasus spyware on iPhone users. Why and what did Apple do about it? Pop a beverage and hit play!

Now, previously, Facebook had been just… running rampant on iOS. Using older frameworks to monitor what other apps we had installed on our iPhones, so they could try to figure out where we were spending our time and attention. You know, when we weren’t on Facebook.

It’s how they identified threats. We’re scrolling Instagram instead of the Newsfeed? Buy Instagram! We’re texting through WhatsApp instead of Messenger? Buy WhatsApp! We’re snapping our chats instead of booking our faces? Buy Snapchat! Oh, they won’t sell? Clone their features! Stories everywhere!

It’s why Facebook seemed to be willing to pay what were considered ludicrous prices at the time, or face-hugger on what seemed like completely alien feature sets, only to have… turns out… gotten ludicrously good deals and stolen back tons of attention now in hindsight.

But that golden era of data piracy was ending. Apple was cracking down. And tightening up. The ability to see what other apps were installed and figure out what we were using and doing was becoming increasingly difficult, if not impossible.

And, unlike Google, Facebook had just never been able to get their act together enough to ship their own phone or browser platform, like Android, Pixel, and Chrome, so they couldn’t just get the data directly, straight from the source.

That’s probably why Facebook bought Onova in 2013, which among other things, offered a virtual private network or VPN service. Now, a VPN’s job is to protect our internet traffic — everything we’re doing on the net, every site we’re going to, every server we’re connecting to — by tunneling it away from our computers and out through the VPN’s computers. That shields our activities from our ISP, blocks person-in-the-middle attacks on free wi-fi networks like at coffee shops and airports, sometimes allows for geo-hopping so we can watch Netflix in… I dunno… France?

But because all of our traffic is now tunneling through the VPN, the VPN get full knowledge, they’re the one who sees every site we’re going to, every server we’re connecting to. And Onova had been using — or abusing — that fact, for data harvesting. Which had already led it to be frequently classified as — you guessed it — spyware.

Now that VPN, that Spyware, was Facebook’s and in a plan fiendishly clever in its intricacies, they started using Onova to work around Apple’s protections and resume spying on iOS user activity. Our activity. Even going so far as to advertise Onova inside the Facebook app to get it onto more iPhones.

But, apparently, that still wasn’t enough. According to the NSO Group’s CEO, Facebook said Onova still wasn’t as effective at gathering user data from iPhones as it was from Android phones. So, get this, Facebook was willing to pay a monthly per-user fee to NSO for parts of Pegasus so they could more deeply monitor people using Onova Protect on iPhones.

By parts, it likely means the data harvesting parts. Facebook wouldn’t need the hacking parts because… well… we’re doing that for them, hacking ourselves, by installing their apps. They just needed a way to pull out more of out data than Apple’s security and privacy protections otherwise allowed. And, I guess they figured military-grade spyware was the way to go there?

Now, Facebook claimed NSO’s account was inaccurate and misrepresented the discussion, but offered no alternate account or rational for the that discussion, at least that I’ve ever seen. Also that NSO was making the claims to deflect from Facebook suing them over NSO’s exploits of WhatsApp.

NSO said they ultimately refused to license any part or parts of Pegasus to Facebook because Facebook is a private company and NSO only deal with governments. Which governments exactly being the current controversy.

Anyway, Facebook was forced to pull Onova Protect from the iOS App Store in 2018, due to fatal violation of Apple’s anti-data harvesting policies.

But, of course, this story doesn’t end there. Like Spice, the data must flow. So why not just go full on Harkonan?

Facebook began offering something called The Facebook Research app. Deal was, they’d pay up to $20 a month, and in exchange, they’d get to collect data on our app usage, web browsing history, web search history, location history, personal messages, photos, videos, emails, and Amazon order history. Though it’s unclear how much of that was really made 100% crystal clear up front rather than just being buried in some fine print somewhere.

Kicker was… the Facebook Research app was allegedly just Onova Protect rebranded and distributed outside the App Store. Uppercut was Facebook using ads on networks like Instagram and Snapchat to target it on teenagers — children as young as 13. Facebook also started using their beta programs as another way to install their certificates on iPhones. All of this in direct violation of Apple’s policies on how certificate distribution is supposed to work — in other words, they’re for internal use within a company only, never for external distribution and end-runs around App Store privacy protections.

So, when all this came out, Apple pulled Facebook’s developer certificate, which immediately killed all instances of Facebook Research on all iOS devices, everywhere. Yeah, go walled garden capabilities go! It also killed all of Facebook’s internal apps, so… nobody could check the cantina menu or find their way around campus for a bit, or something?

After some weak ass attempts to spin, deny, deflect, Facebook sunsetted the Research app for good, even on Android. Apple restored Facebook’s developer certificate a month after they first pulled it as well. But Apple also started ratcheting up the privacy protections. Including app tracking transparency and privacy labels in iOS 14 and now Privacy Reports and Private Relay in iOS 15.

Which is why Facebook said they needed to start inflicting pain on Apple, even as Apple was encouraging Facebook to just delete our data.

And I’ve got videos up deep diving into… just all of that.