So there's the ios developer program which lets you publish apps to the apple app store, but what facebook is getting dinged for is their enterprise developer certificate. You get an enterprise certificate through a different, more stringent process than the developer program, and it allows you to freely distribute an app to any device, through means outside of the app store.

I'm not a fan of the walled garden bullshit apple pulls with the app store, but what Facebook was doing was hugely bad from a security standpoint. Enterprise apps are supposed to only be distributed within your enterprise, and come with certain relaxations of security restrictions. Apple is super super clear that you're only supposed to distribute enterprise apps internally or else you will have your cert revoked. Facebook exploited the enterprise program to instead distribute an application outside their enterprise and not only that, to track end users.