Apple Dumps Ad-Blocking Apps Over Privacy Fears

The apps removed from Apple's store installed a root certificate that would have allowed developers to view traffic passing through them at the packet level.
10 Apple Slip-Ups That Bruised Its Reputation
10 Apple Slip-Ups That Bruised Its Reputation
(Click image for larger view and slideshow.)

Apple has pulled some ad-blocking and content-blocking apps from its store over privacy concerns. Specifically, the apps installed root certificates that expose all traffic (including encrypted traffic) from a device to the blocker.

The technique is basically the same thing as a man-in-the-middle attack, but voluntary.

"Apple is deeply committed to protecting customer privacy and security. We've removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions. We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk," according to a statement Apple sent to InformationWeek on Friday, Oct. 9.

While Apple did not name names, Been Choice, which claims on its site to be "the most powerful blocker available," revealed on Twitter that it was among the apps that were pulled.

"We will remove ad blocking for FB, Google, Yahoo, Yahoo Fin., and Pinterest and resubmit tomorrow, to comply," Been Choice said in the post.  

Been Choice's method allowed it to block content in Safari and within apps, including Facebook and Apple News. 

Apple has provided tools (the Safari View Controller) in iOS 9 to allow content blocking from Web sources. SVC does not allow any blocking program to carry out tracking on its own.

However, Apple has allowed standalone apps a free pass from blocking.

Apple has an in-app ad service (iAd) that would have been affected by content blocking in apps.

According to its Twitter post, Been Choice appears to be caving in to Apple. However, David Yoon, the cofounder of Been Choice, told InformationWeek in an email Friday that the company is not giving up, only changing techniques.

"They pulled us and then noted in the interface to ITunes store that they would call. During the call they told us it was the root cert issue," he said.

[Find out why the creator of the most popular ad-blocking tools for iOS 9 is having second thoughts.]

He went on to outline how Been Choice will respond. "We will remove root certs and resubmit. ... We want to resubmit this morning. There are others [who] have VPNs that block ads. But perhaps without root certs. So we will try that. Our goal is to give users a real choice between privacy and sharing. So that is what we need to do, the best we can under the guidelines."

This app sweep occurs about three weeks after over two dozen infected Chinese apps that installed their own root certificates were found in the App Store. They were produced by developers who were unaware that they were using a fake version of the Apple developer tool Xcode. These apps contained a payload of malicious intent, delivering malware to the end-user.

This is not the same situation, since Apple seems not to be directly ascribing malicious intent to the developers. It does show that Apple is no stranger to dealing with privacy issues, especially lately.

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
John Abel, Technical Director, Google Cloud
Cynthia Harvey, Freelance Journalist, InformationWeek
Christopher Gilchrist, Principal Analyst, Forrester
Cynthia Harvey, Freelance Journalist, InformationWeek