Can somebody explain the technical specifics of what was installed and what is revoked ? I'm not familiar with with iOS. My assumptions are: The original app, which was distributed by fb, installed a systemwide CA to MITM traffic after prompting the user. Is this not available to regular apps distributed on the store ? This app was not on the app store but distributed out of band. In order to sideload apps on iOS, they still need to be approved by Apple ? So Apple maintains a whitelist of developer certificates who can side load apps. Now, Apple has blacklisted this signing cert. However, this doesn't do anything to the CA, right ? However, the article says, "Revoking a certificate not only stops apps from being distributed on iOS, but it also stops apps from working." How does this work exactly ? Apple triggers all the clients in the world to freeze/remove these apps ?
> The original app, which was distributed by fb, installed a systemwide CA to MITM traffic after prompting the user.
Correct.
> Is this not available to regular apps distributed on the store ?
No, this is OK; VPN apps do exactly this, but they go through review to make sure that they are actually VPN apps and not, well, essentially what Facebook is trying to do here.
> This app was not on the app store but distributed out of band.
Yes.
> In order to sideload apps on iOS, they still need to be approved by Apple ? So Apple maintains a whitelist of developer certificates who can side load apps.
You haven't mentioned it, but I think it's important to make the distinction about the two ways to sideload apps on iOS: you can self sign your app yourself for your device (generally via Xcode), which Apple doesn't really check at all, or you can be a company, get an enterprise certificate, and use this to sign apps and distribute them to other iOS devices, as Facebook was doing here. The catch is that you are supposed to only do this internally inside your company.
> the article says, "Revoking a certificate not only stops apps from being distributed on iOS, but it also stops apps from working." How does this work exactly ? Apple triggers all the clients in the world to freeze/remove these apps ?
iOS, as of iOS 8.4, periodically checks for revoked certificates and will refuse to run apps that were signed with something that Apple has blacklisted.
>VPN apps do exactly this, but they go through review to make sure that they are actually VPN apps and not
A vpn app can tunnel network traffic, but it doesn't meddle with system certs or the CA. It doesn't doesn't get to decrypt TLS connections by default. So which one did fb do ? Did they just tunnel traffic, or did they MITM TLS traffic as well ? All the coverage about this story seems to be vague. If it's just the former, it doesn't seem that egregious since it is explicitly called out as a data collection app.
>iOS, as of iOS 8.4, periodically checks for revoked certificates and will refuse to run apps that were signed with something that Apple has blacklisted.
Again, I don't know how the system cert store is handled, but even if you can't run the app with the blacklisted dev cert, are the modifications that it made in the past (such as enrolling a CA) also reverted ? In this case, that may be the desired outcome, but in general, that state is not really a part of the app.
> A vpn app can tunnel network traffic, but it doesn't meddle with system certs or the CA. It doesn't doesn't get to decrypt TLS connections by default. So which one did fb do ? Did they just tunnel traffic, or did they MITM TLS traffic as well ?
Sorry, I should have been more clear. Most VPN apps tunnel traffic, but the Facebook app is going further and inserting its own root certificate, allowing them to intercept TLS traffic. Some apps, like Charles Proxy, do this, but it obviously has a legitimate use for this.
> are the modifications that it made in the past (such as enrolling a CA) also reverted
I haven't tried it, but I'd like to think that this is the case.
