OurPact: Apple’s Statement on Parental Control Apps Using MDM Misleading and Inaccurate

iOS 12 Screen Time Notifications

Earlier this week, the New York Times posted a detailed report highlighting how Apple removed third-party parental control apps from the App Store that offered features similar to Screen Time. Following a backlash, Apple’s Eddy Cue replied to an email in great detail mentioning how such apps were using MDM (Mobile Device Management) and posed a risk to user data and privacy. Apple then went ahead and even posted an official statement about the same. Now, one of the parental app developers — OurPact — has hit back at Apple and called the company’s statements false.

In a Medium post, OurPact says that Apple’s statement is “misleading and prevents a constructive conversation around the future of parental controls on iOS.” It clarifies that ever since OurPact was released, it has used a publicly documented technology from Apple known as MDM.

While MDM was initially meant for BYOD implementations and enterprise, it was also being used by many parental control apps to offer advanced functionality. In fact, Apple itself expanded MDM for use by children and teachers in school.

Without MDM, it would not have been possible for OurPact to offer their app. The company says that it has been transparent in its use of MDM and has even documented it in its submissions to the App Store.

What’s interesting is that Apple says that by using MDM, these third-party apps pose a risk to user data and privacy. But OurPact says that as per Apple’s documentation, apps using MDM cannot see the following personal data.:

  • Personal or work mail, calendars, contacts
  • SMS or iMessages
  • Safari browser history
  • FaceTime or phone call logs
  • Personal reminders and notes
  • Frequency of app use
  • Device location

In his email, Schiller said that MDM profiles were risky since they could be used by hackers for malicious purposes. However, Apple’s MDM documentation says something else entirely.

“When users enroll in MDM for the first time on an iOS device, they are provided with information about what the MDM server can access on their devices and the features it will configure. This provides transparency to users about what is being managed, and establishes trust between you and the users.”

OurPact has also mentioned the data that it collects as a part of its post. This includes the child name, age and gender, installed applications, and location data. Despite Apple pulling OurPact from the App Store for using MDM, it had previously approved the apps 37 times. Worse, Apple did not inform OurPact or gave them a 30-day notice before removing their app from the App Store.

The timing of the app being pulled was also very strange. Apple removed OurPact’s app from the App Store in October 2018, right after it released iOS 12 which included Screen Time. The whole timeline of communication between Apple and OurPact is also very interesting since when the app was removed, Apple never once raised privacy as a concern which it highlights so much its statement.

If you are intrigued by the whole thing, definitely make sure to read the entire post from OurPact on Medium by hitting the source link below. Apple certainly seems to be having double standards here and it should work with developers to resolve their issue instead of simply removing their apps from the App Store and then putting the blame on them later on by highlighting privacy and security risk. It is also clear that Apple needs to work on improving its communications with the developers. Apple needs to remember that the App Store works because of the millions of apps on it from talented developers. Without them, the App Store would not have reached where it is today.

[Via Medium]