Instead of downloading the application through the App Store or through Apple's own TestFlight beta testing program, users were getting through three different beta testing services: BetaBound, uTest, and Applause. These three services served ads on Instagram and Snapchat targeted specifically to a 13- to 35-year-old audience, saying it was a "paid social media research study." When signing up for the application, minors are asked to ask permission from their parents through a form. One of the forms says, "There are no known risks associated with the project, but you acknowledge that the inherent nature of the project involves tracking personal information through the use of your child's applications."
Here is the text of a warning when users download Applause's Facebook search application (purchased by TechCrunch):
"By installing the software, you give the customer permission to collect data from your phone that will help them understand how you browse the Internet and how you use the features of the applications you have installed … This means that you" allow our customer to collect information what applications are on your phone, how and when you use them, data about your activities and content in those applications, and how others interact with you or your content in those applications. It also allows our customer to collect information about your Internet browsing activity (including the sites you visit and the data exchanged between your device and those sites) and your use of other online services. There are some cases where our customer will collect this application information uses encryption or from secure browser sessions. "
According to Will Strafach, security expert hired by TechCrunch, the level of access provided by the Facebook Research application may lead the company to collect all types of data including private messages, instant messaging chats that include photos and videos, activity emails and even location information.
Instead of downloading the Apple application, users would download it from a separate Facebook URL, inform them to install a corporate developer certificate, and allow the company to have root access on the phone. A program from Applause even urged users to provide screenshots of their Amazon order history. If users kept the VPN running and sent the data to Facebook, they would be paid via gift certificate certificates.
Facebook recognizes the existence of this program for TechCrunch: "Like many companies, we invite people to take part in surveys that help us identify things we can do better.As this research aims to help Facebook understand how people use their mobile devices, we provide comprehensive information about what kind of data we collect and how they can participate. We do not share this information with others and people may stop participating at any time. "
According to the Facebook spokesman, the company is not violating Apple's rules, as the application was distributed online with Apple's Enterprise Certificate program. But since the Certified program is primarily for internal developer use and not as a public beta where users would be paid, it is unclear if this is true.