I really didn’t want to write this. But, I also can see this is a conversation that’s going to come up and I really don’t want to have it over and over again either. So, here we are. This is a story in two parts, so hang on to your hat.
The FaceTime Bug
There was/is an unfortunate bug in Group FaceTime that was discovered about a week ago by a 14-year old. The teen responsibly disclosed the bug to Apple through their published reporting chain, but it appears they didn’t accurately prioritize the issue until it hit the media.
Once the media got hold of the issue, Apple made the decision to shut down the Group FaceTime service server-side until a patch could be deployed in response to feedback from the community. All in all, it was a bad bug and a miss on Apple’s part to respond in a timely manner but chances are by the time you heard about it a temporary fix was already in place.
Before you rush out and throw out your device and grab an Android phone, there’s a dark secret you need to know. While the Android OS itself is reasonably secure and well developed, device manufacturers are notoriously bad about not shipping updates to devices meaning the state of the average Android device is in isn’t great either.
So, the summary? Hopefully Apple learns and improves their triage process for vulnerability notifications, but at the end of the day they’re doing an excellent job of security. Further reading: Android is still an unsecure mess compared to the iPhone even when it’s not on your phone (BGR) & Android vs. iOS: Which is more secure? (Symantec).
Enterprise Development Certificates
For companies who want to deploy enterprise-grade apps on their employee’s devices that aren’t suitable for release through the official Apple AppStore, Apple offers the Apple Developer Enterprise Program.
There is no way Apple could make the purpose of this program more clear. It is for distributing apps to the employees of an enterprise, it is NOT for the public distribution of software that does not comply with AppStore guidelines.
Facebook and Google received media attention this week for using this program to publicly distribute applications that collect detailed usage data from their users. Once Apple became aware of this behavior, which is very clearly against the terms of this program, they revoked the certificates – effectively disabling the applications. This had the secondary effect of disabling internal applications used by the companies for things like ordering lunch and working with their in-house transportation offerings.
Given Apple’s history and very public stance against privacy invasion, and the fact that this is a flagrant violation of the terms of this service I really don’t see how Apple had any other options.
Update: 10:15 PM
Apple has issued new Enterprise Distribution Certificates to Facebook (and probably Google) for them to re-sign and distribute their internal applications.