> Don't they have a database of every device they've sold?
A database isn't enough. They'd also need a way for that device to attest its identity to Apple, and serial numbers can be relatively easily copied (or sometimes even brute-forced).
This should be possible for newer devices using Apple's own chips, but I believe that at least non-T1/T2 Intel Macs lack any such capability.
> Why don't they check "is this device sitting on a shelf un-sold or does it belong to this account, activated"?
How would they know this? I highly doubt that every retailer in the world reports sold devices' serial numbers to Apple.
iOS devices must be activated to use them. This is indeed stored in a database. AppleCare and third-party repair centers can query activation information using GSX.
You are correct about pre-T1 Intel Macs though. Apple will have a blind spot by design, until support is dropped for old machines.
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
So this seems to be new information about the Onavo Android app, but it’s not clear to me if the “install cert” button described was exactly the implementation of the previously reported research cert, or a new vector where people other than market research participants were MiTM’d. The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known. But nothing here is incompatible with the previously reported stuff being all that happened, AFAICT.
The TechCrunch article clearly states that Onavo was the method they used to get the FB Research cert onto devices. (Presumably they distributed a different build of Onavo with their enterprise distribution channel), it quotes:
> “We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.
This sounds to me that there was one Onavo research program, but who knows, we have multiple project codenames.