Ad-blocking apps removed from Apple installed root certificates that may have enabled third-parties to view private user information.
Apple has taken the action to remove some ad-blocking and content-blocking applications from iTunes due to rising privacy concerns. Since the apps installed root certificates that may expose all traffic from a device to the blocker, including encrypted traffic. Apple’s move is comparable to what is known as a man-in-the-middle attack. However this time it is voluntary.
October 9, Apple expressed its deep commitment to protecting customer’s privacy and security, however, will continue to operate with the developers to recover their apps back on the iTunes without endangering customer’s security and privacy. Applications removal was explained to be meant for:
“A few apps from the App Store that install root certificates that enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions.”
While public statement regarding the list of applications has yet to be issued, Been Choice, or “the most powerful blocker available” as it claims on its site, confirmed through Twitter that it was one of the apps that were removed. In the post, Been Choice stated that,
“We will remove ad blocking for FB, Google, Yahoo, Yahoo Fin., and Pinterest and resubmit tomorrow, to comply.”
Been’s choice method made possible content blocking in Safari and within apps, which includes Facebook and Apple news.
Related to this, Apple has presented the Safari View Controller to allow content blocking from Web sources in iOS, where it does not allow any blocking program to carry out tracking on its own. Standalone apps, however, has been allowed a free pass from blocking. Content blocking in apps would have been affecting Apple’s very own in-app ad service (iAd).
Been Choice appears to be caving in to Apple in its Twitter post, although David Yoon, the co-founder of Been Choice, told InformationWeek through email on Friday that the company is not giving up and merely changing the techniques. Yoon said that Apple has pulled them and then noted in the Itunes store interface that they would call, which during the call it was clear that it regarded the root certificate issue.
@reneritchie We will remove ad blocking for FB, Google, Yahoo, Yahoo Fin., and Pinterest and resubmit tomorrow, to comply.
— Been® Choice (@beenchoice) October 9, 2015
Yoon further explained how Been Choice will respond, by stating that root certificates will be removed and resubmitted, although there are others who have VPNs that block ads but possibly without the use of root certificates. “Our goal is to give users a real choice between privacy and sharing. So that is what we need to do, the best we can under the guidelines,” he concluded.
App Store discovered over two dozen infected Chinese apps that installed their root certificates about three weeks prior to this app sweep. These apps were produced by developers who were not aware that a fake version of the Apple developer tool Xcode were used, resulting in malicious intent payload content that delivers malware to the end-user.
Since Apple seems only indirectly to ascribe malicious intent to the developers, it has proven that it is no stranger to dealing with privacy issues that have occurred quite a lot recently.