Apple last week revealed that it had removed from its App Store several apps with root certificates that could allow data monitoring.
The monitoring could compromise Secure Sockets Layer and Transport Layer Security protocols, the company said. It suggested users delete the apps and their associated configuration profiles. However, it did not name the apps users should delete.
Apple will work with the developers so their apps meet its requirements and can be uploaded to the App Store again, the company said in a statement provided to TechNewsWorld by spokesperson Lisa Israel.
Root certificates, or certificate authorities (CAs), “enable traffic to be intercepted, unknown to users,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Remember Superfish?” he asked.
Lenovo, which had preinstalled Superfish Visual Search software on its computers, faced such a public outcry over security concerns that it apologized and uninstalled the software.
Although Apple did not name the apps that it removed, at least one was an ad blocker — Been Choice from developer Been.
Unlike the content-blocking framework Apple built in iOS 9, Been Choice scrapes ads and other content out of users’ Web traffic through a virtual private network.
How Been Choice Works
The Been Choice app works in two modes: Block Mode blocks ads and third-party trackers in both users’ apps and, by default, the Safari browser. Earn Mode lets ads through and allows users to earn rewards for volunteering nonpersonal information about how they use their device.
Been Choice sets up separate VPN profiles for Block and Earn modes.
In both cases, it blocks known malware sites. It does not store users’ email, banking or other personal information, according to Been.
Block Mode routes ad and tracker traffic through Been Choice’s VPN, but the company doesn’t see general traffic. In Earn Mode, users’ general traffic is encrypted and compressed through Been Choice’s VPN, which also conducts IP and location obfuscation.
Root certs are a routine part of VPNs, Been cofounder Dave Yoon said. They were not previously restricted, even in conjunction with ad blocking, so the company didn’t see the need to mention their inclusion in its app.
Why Been Choice Used Root Certs
Been Choice included a root cert “to give users a real, discrete choice between blocking and sharing,” Yoon told TechNewsWorld. “We needed to unpack end-to-end encryption for blocking ads in apps for Facebook, Yahoo, Google and Pinterest.”
That unpacking let Been Choice pattern-match suspected ad traffic to remove it before it got to users’ phones.
Apple’s decision to pull the app came as a surprise because it had “been approving versions of our app for months,” Yoon said.
However, “though we took special care, if you take [the root cert] out of the app, it will be more secure,” he remarked. “So we will comply, because our goal is to provide users the best choice.”
Been is working with Apple to ensure its app meets the new requirements, and “we are avoiding root certificates altogether,” Yoon said.
The Dangers of Root Certs
Apps should not install their own root certificates, Venafi’s Bocek told TechNewsWorld. “Only when an enterprise needs to authorize traffic inspection should any device accept a new CA certificate.”
Apple has listed approved certificate authorities for iOS 9.
The inclusion of certificates in the apps Apple took down “demonstrates that while today’s mobile platforms are harder to crack and exploit, abusing or misusing the trust in CAs and certificates is a ripe opportunity for exploit,” Bocek said.
“The OnStar hack to lock and unlock and start and stop GM cars was possible because the GM app did not properly validate security certificates,” he said.
General Motors has resolved that issue.
“The security of CA and TLS certificates in the mobile world,” Bocek said, “is an issue that’s only going to get more important.”