NEWS ANALYSIS: Apple is doing the right thing by restricting the use of apps that install a root certificate, but it's surprising it didn't notice this earlier.
Apple is taking measures to improve user security by removing multiple apps from the App Store that attempted to install their own root certificates.
It's not clear precisely how many apps have been pulled so far although it's clear that ad-blocking apps are the primary target. The Been Choice ad blocking app is among those that have been pulled from the App Store over security concerns. Been Choice stated
in a Twitter message Oct. 9 that it has now resubmitted its app to comply with Apple's request for changes.
In a statement that Apple provided to media outlets, the company emphasized that it is deeply committed to protecting customer privacy and security.
"We've removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions," Apple stated. "We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk."
Ad-blocking apps were first allowed by Apple as part of the iOS 9 update
that rolled out to users on Sept. 16. With ad-blocking technologies, apps block or restrict access to in-app advertisements as well as Web ads. There are multiple techniques for blocking ads, with one of them making use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) root certificates.
An SSL/TLS root certificate is a trusted element and could also potentially enable an application to read and/or intercept other SSL/TLS encrypted data. Lenovo got in trouble with its users earlier this year over the Superfish adware
that was preinstalled on its PCs. Like the iOS 9 ad-blocking apps, Superfish made use of a root certificate, which security experts criticized widely as being a non-trivial security risk.
"Installing a root CA [Certificate Authority] certificate on any device circumvents the fundamental foundation of online security," Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told eWEEK.
"CAs undergo heavy vetting and auditing and any app that installs a CA certificate poses a huge threat. No app should be installing its own CA certificate."
The issue of root CA potential misuse is clearly not new, yet somehow, it still managed to sneak past Apple's App Store gatekeepers for the ad-blocking software apps. In the fullness of time, it's likely that more details and visibility will come to the precise number of apps that have been removed in this process. It's also likely that Apple will ensure that its App Store application process as well as automated scanning technologies will seek out root certificates and make sure they're not part of apps.
It's good news that Apple is doing the right thing now by restricting the use of apps that install a root certificate. It is, however, curious to note that Apple didn't notice this initially despite the company's vaunted and rigorous app-approval process.
It's the second time in recent months that Apple is being forced to remove potentially problematic apps from its App Store after it had approved them. In September, Apple had to remove
more than 30 apps after it was discovered the apps were built using malicious versions of Xcode.
No doubt, Apple engineers will be busy in the coming days and weeks doubling down on their effort to further improve the App Store app-approval process to prevent potentially malicious apps from ever landing in the first place.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist