Apple has removed some apps from iTunes over concerns they could compromise users’ sensitive details, the technology giant said on Friday.
The maker of the iPhone and iPad did not reveal how many apps had been taken down, but the problem appeared to center on products that install root certificates.
While Apple has built ad blocking into iOS 9, some apps go beyond the supported capabilities of blocking adverts in Safari. The apps also block adverts in other apps, and some do so by installing root certificates.
While the extra features are nice, the use of root certificates also introduces a huge security hole. Ad blockers in particular use root certificates as a means of blocking ads within apps, but root certificates allow the developers of those apps to view unencrypted traffic from their users such as the web pages you are visiting — which could include sensitive financial information.
The ad blocker may have installed the root certificate with the best of intentions, but as we learned in the Lenovo Superfish scandal this type of process exposes this secure traffic as it is being transported from your phone to the app’s servers. A hacker could target an iDevice compromised by one of the root certificates and carry out what’s known as a “man-in-the-middle” attack to intercept this traffic and steal sensitive data.
However, Apple has not indicated that anything malicious has happened so far.
“Apple is deeply committed to protecting customer privacy and security. We’ve removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions,” the company said in a statement.
“We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk.”
Been Choice, an in-app ad blocker, was one such app affected by Apple’s move. The company confirmed via Twitter that it was making changes and will resubmit its app to comply with Apple’s policy.
by Jillian Love / Reuters, editing by Nate Hoffelder, image by Beck Diefenbach