Exposed! Facebook pays teenagers to install app that harvests personal data

Root-certificate app sucked up phones’ private data and web browsing activity.

Graham Cluley
Graham Cluley
@[email protected]

Facebook exposed paying teenagers to install app that harvested personal data

Since 2016 Facebook has been paying users aged 13-35 up to $20 per month to install an app which has almost unlimited limitless access to their smartphones and most sensitive data.

Reporters at TechCrunch exposed the scheme which saw users install a “research” app capable of scoop up:

  • private chat messages, including photos and videos
  • emails
  • web-browsing activity
  • a list of which apps were installed on the device, and when they were last used
  • the user’s physical location history
  • data usage

According to the report, the app is similar to the Onavo Protect VPN app that Facebook was forced to withdraw from the iOS App Store after Apple determined that it was breaking its data-collection policies.

Sign up to our free newsletter.
Security news, advice, and tips.

From the sound of things, Facebook is installing the offending app using the enterprise provisioning features that Apple provides for companies who wish to roll out their own enterprise certificate-signed versions of apps to employees, rather than the official iOS App Store.

They do this by asking users to install a root certificate which has almost unlimited access to the phone. The enterprise provisioning feature is intended for employees of a company, not 13-year-old users of a social media website. In short, Facebook has again breached Apple’s rules.

Facebook research app

It seems to me that Apple would be well within its rights to revoke the certificates. Whether Apple will be prepared to take that ballsy step remains to be seen, but it would certainly see tensions between the two companies flare up.

Josh Constine at TechCrunch writes:

“The strategy shows how far Facebook is willing to go and how much it’s willing to pay to protect its dominance — even at the risk of breaking the rules of Apple’s iOS platform on which it depends. Apple could seek to block Facebook from continuing to distribute its Research app, or even revoke it permission to offer employee-only apps, and the situation could further chill relations between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices. Facebook disobeying iOS policies to slurp up more information could become a new talking point.”

Within hours of TechCrunch‘s report being published, Facebook moved from a position of defending its behaviour on the grounds that participants consented (it’s unclear how Facebook confirmed 13-year-olds received their parents’ permission) to announcing that they would be halting the research program on Apple devices.

According to a BBC News report, when it posed as a 14-year-old boy during its own test, it was able to download the app without any request for parental consent.

For now there is no indication that Facebook is planning to stop the “research” on Android phones.

I can’t imagine why anyone would trust Facebook with its personal profile information, let alone installing apps which can read their private chats and emails or track their web browsing.

If you feel the same, then why not join me by deleting your account? If you’re finding it hard to quit, why not listen to this “Smashing Security” podcast we put together describing the process:

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Exposed! Facebook pays teenagers to install app that harvests personal data”

  1. Etaoin Shrdlu

    If only you <i>could</i> delete your account.

    1. Vog Bedrog · in reply to Etaoin Shrdlu

      And if only they weren't sucking up all available data on non-users anyway.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.