Apple has removed some apps from its App Store for installing a root certificate that would have allowed the developers to view encrypted traffic from their users. The company said in a statement that it was working with the developers to get their apps back on the store.
Some ad blockers are among those being removed, largely because they could use those root certificates to examine traffic passing through them (the websites you view and more) at the packet level, bypassing encryption and other data protection methods. Apple typically carefully authorizes root certificates via iOS and OS X.
These ad blockers are unlike the content blockers that Apple has built a framework for in iOS 9 that allow ad-blocking in Safari. These block ads and other content inside apps by scraping them out of your web traffic. The only way to do that is to set up a VPN-type arrangement where your traffic flows through the app-maker’s servers to perform the injection, or in this case, removal.
While not overtly malicious, it is potentially misleading and dangerous. This passing of information readable by a third party through an external server is an app-in-the-middle situation. That’s a scenario closely associated with hacking attacks because it is transparent to the user and gives access to unencrypted traffic.
One of the apps that has been removed is apparently Been Choice, a content blocker that worked even inside apps. We covered them recently and remarked that it was very curious that they were able to do what they do inside of Apple’s system. The app is currently no longer available on the App Store.
In the case of a traditional VPN app, people are explicitly aware that their traffic is being routed through an external server. With content blockers, not so much. So Apple is likely putting the kibosh on these apps both because they use a third-party root certificate and because they route traffic through external servers to perform those actions and because it is not expected behavior, as it is with a VPN. Apple has also expanded their support for VPNs with official frameworks in iOS 9.
Here is Apple’s statement:
Apple is deeply committed to protecting customer privacy and security. We’ve removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions. We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk.
Apple currently has no frameworks available for blocking ads or other content inside of apps as there are in Safari. Developers do have to make alterations in their apps for content blockers to be able to affect instances of the Safari in-app browser.