Apple this evening has removed a handful of apps from the App Store that install root certificates of their own. By installing their own root certificate, the app developers could theoretically gain access to encrypted traffic from users. Among some of the apps being removed are a select number of ad blockers. The ad blockers that have been removed are ones that block content both in Safari and in other apps.
The process that developers went through to be able to block ads in third-party apps is basically setting up a VPN where all traffic is run through the developer’s servers to remove the ads. This is a process that, obviously, could be used for malicious practices.
One of the most prominent apps that has been removed is ad blocker Been Choice, which performs essentially the exact aforementioned process of installing a root certificate on the device. Been Choice, because it did this, was able to block ads inside other apps.
Apple said in a statement to TechCrunch that it removed “a few apps” because they compromise SSL/TLS security solutions. The company also noted, however, that it is working with the developers of the removed apps to get them back onto the App Store with more security measures in place.
Apple is deeply committed to protecting customer privacy and security. We’ve removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions. We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk.
Whether or not these apps will return with the capability of blocking content inside other apps remains to be seen, but given that Apple doesn’t offer an official method by which to do that, it seems unlikely.
FTC: We use income earning auto affiliate links. More.
I’m surprised these apps got through the Walled Garden (™). With over a million apps, one would presume they have most of it done automatically. And a security thing like SSL/TLS and certificates would one of those things they’d check. Strange.
I would say it’s more the Walled Garden of Eden (™). You might can sneak in, but once they find you ate from the tree, you’re kicked out. :)
Will Apple release a list of the apps removed? AdBlockers came on strong several weeks ago and then the developer of Peace had a change of heart – and then took his app down. Any relationship to this oversight?
The purpose of these alternative root certificates are that they give the blocker’s App developers access to encrypted traffic from users, purported to strip ads.
Their whole purpose is to gain access to encrypted traffic from users.
This is an effective but really stupid approach by the developers. Unless they wanted all your data, which, theoretically, they could mine and sell.
No the purpose of them was to block all ads, the unfortunate side effect was that it would give them full access to the data. But the main purpose was definitely not to give them the access to the data.
You guys REALLY need to re-read and think about your article titles. This is not the first time I’ve seen a confusing/misleading title either.
“Apple removing ad blockers that install root certificates from the App Store” Just read that. So Apple is removing ad blockers, that will install root certificates from the App Store?
Apple removing root certificate installing ad blockers from the App Store.
I never bought any of the apps I use to block ads inside of other apps I use (and I only use one that does and that’s GasBuddy) but ever since upgrading to iOS 9 and installing Crystal, Purify and 1Blocker I’ve noticed that ads no longer appear in that app.
Root certs are needed to block HTTPS ads
Hello. I’m one of the developers behind AdBlock (https://www.adblockios.com) and Weblock (https://www.weblockapp.com) apps. We’ve been blocking ads on iOS since 2012 (so much earlier than iOS9 Safari content blocking feature was available, which caused the recent rise of many iOS blockers). Both of our apps have always worked not only in Safari, but also in other apps.
On 9th October AdBlock got removed from the App Store by Apple, due to the problem described here in this post. It appears that the same problem affected also other developers of ad blocking apps.
It just so happens that for some time we have been working on a major update of our app. When Apple pulled current version of AdBlock from the App Store, we already had v2.0 rady and uploaded it for review almost instantly. One of the things we’ve changed in it is the method used to store configuration on the device. Now it does not require a trusted certificate to be installed, so the potential security threat described in the article is eliminated. Apple has just approved this version for publication, so I’m letting everyone know that ad blocking in third party apps is again possible using AdBlock. What’s also important is that none of the user traffic goes through an actual VPN or proxy server, so the solution we’ve used guarantees data safety. Since there is no trusted certificated installed, there’s also no technical possibility to do man-in-the-middle attacks on the user traffic, but it still can be effectively blocked locally on the device.