Apple has purged its App Store of a number of apps that expose encrypted traffic via the installation of root certificates. Apple has declined to name the apps.
“Apple has removed a few apps from the App Store that install root certificates that could allow monitoring of data,” Apple said today in a statement on its website. “This monitoring could be used to compromise SSL/TLS security solutions.”
Related Posts
Practical SHA-1 Collision Months, Not Years, Away
YiSpecter iOS Malware Abuses Apple Enterprise Certs to Push Adware
Threatpost News Wrap, October 2, 2015
A request to Apple for further comment was not returned in time for publication.
Apple also suggested that in addition to deleting the apps in question, users should also be sure to delete the apps’ respective configuration profiles.
The offending apps not only installed root certificates, but some that were removed reportedly also provided ad-blocking capabilities in Safari and other apps such as Facebook.
One of the apps apparently is Been Choice, which via a root cert it installs, can block ads inside apps.
Been’s Choice app was pulled from the App Store. We’ll remove ad blocking for FB, Google, Yahoo, and Pinterest apps http://t.co/5tMWWMgSOK
— Been® Choice (@beenchoice) October 9, 2015
The app’s behavior, however, is similar to how Lenovo’s pre-installed Superfish utility facilitated man-in-the-middle attacks. In the case of Been Choice and the other apps pulled today, the root certificate compromises SSL/TLS connections, putting supposedly secure data at risk to attack.
Apple, meanwhile, has introduced its Content Blocker app extension in iOS9 and in El Capitan for OS X. If enabled, the extension will block ads and many other content types from being displayed in the browser.
Provided from: Techcrunch.