>VPN apps do exactly this, but they go through review to make sure that they are actually VPN apps and not
A vpn app can tunnel network traffic, but it doesn't meddle with system certs or the CA. It doesn't doesn't get to decrypt TLS connections by default. So which one did fb do ? Did they just tunnel traffic, or did they MITM TLS traffic as well ? All the coverage about this story seems to be vague. If it's just the former, it doesn't seem that egregious since it is explicitly called out as a data collection app.
>iOS, as of iOS 8.4, periodically checks for revoked certificates and will refuse to run apps that were signed with something that Apple has blacklisted.
Again, I don't know how the system cert store is handled, but even if you can't run the app with the blacklisted dev cert, are the modifications that it made in the past (such as enrolling a CA) also reverted ? In this case, that may be the desired outcome, but in general, that state is not really a part of the app.
> A vpn app can tunnel network traffic, but it doesn't meddle with system certs or the CA. It doesn't doesn't get to decrypt TLS connections by default. So which one did fb do ? Did they just tunnel traffic, or did they MITM TLS traffic as well ?
Sorry, I should have been more clear. Most VPN apps tunnel traffic, but the Facebook app is going further and inserting its own root certificate, allowing them to intercept TLS traffic. Some apps, like Charles Proxy, do this, but it obviously has a legitimate use for this.
> are the modifications that it made in the past (such as enrolling a CA) also reverted
I haven't tried it, but I'd like to think that this is the case.
>VPN apps do exactly this, but they go through review to make sure that they are actually VPN apps and not
A vpn app can tunnel network traffic, but it doesn't meddle with system certs or the CA. It doesn't doesn't get to decrypt TLS connections by default. So which one did fb do ? Did they just tunnel traffic, or did they MITM TLS traffic as well ? All the coverage about this story seems to be vague. If it's just the former, it doesn't seem that egregious since it is explicitly called out as a data collection app.
>iOS, as of iOS 8.4, periodically checks for revoked certificates and will refuse to run apps that were signed with something that Apple has blacklisted.
Again, I don't know how the system cert store is handled, but even if you can't run the app with the blacklisted dev cert, are the modifications that it made in the past (such as enrolling a CA) also reverted ? In this case, that may be the desired outcome, but in general, that state is not really a part of the app.