Skip to content
Naked Security Naked Security

Apple excommunicates adblockers that could access users’ private data

Apple's blocked apps that installed root certificates that could have allowed them to see all of a users' web traffic.

shutterstock_217604671

Nobody’s saying that adblockers cooked up for the newly adblocker-amenable iOS 9 Safari browser were monitoring encrypted traffic, including, say, bank login details or private emails.

But they could, given that some of those apps installed root certificates that allowed them to rummage around in your encrypted traffic to filter out ads.

Given the security risk, Apple has removed an unspecified number of apps from its App Store.

Here’s Apple’s statement:

Apple is deeply committed to protecting customer privacy and security. We’ve removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions. We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk.

The excommunicated apps include the adblocker Been Choice.

Been Choice said on Thursday that “we will remove ad blocking for FB, Google, Yahoo, Yahoo Fin., and Pinterest and resubmit tomorrow, to comply,” but added that “we will continue to block the majority of ads in apps, as well as Safari.”

However, given that the app wasn’t listed in the App Store as of Friday, it looks like either Apple hasn’t approved it yet or Been Choice didn’t get it submitted when it thought it would.

Been Choice is a content blocker that worked even inside apps.

As TechCrunch reported last week, Been Choice, curiously enough, claimed to be able to do its adblocking shtick in native mobile apps, including Facebook and even Apple’s own News application.

As TechCrunch’s Sarah Perez reported, Been Choice achieved this by offering a combination of a content blocker for Safari and a VPN (virtual private network) service, the latter of which allowed the app to filter out ad traffic.

Why would Apple allow in an app that goes against its own best interest?

Perez suggested that time would tell whether Apple really meant to allow it or whether Been Choice would be booted, and now we know: from the looks of it, it has indeed been booted, though it seems that it was the root certificates that did it in.

It is, of course, a privacy and security issue.

The root certificates are used to to fool apps in to thinking they’re talking to a site like Facebook when in fact they’re actually talking to Been Choice, who are then talking (and listening) to Facebook on your behalf, in real time.

Acting as a Man-in-the-Middle like this allows Been Choice to block ads.

Unfortunately it would also allow them, in theory at least, to monitor everything a user is doing online and to silently alter the traffic passing through their servers, even if the connection is supposed to be encrypted end-to-end to prevent that sort of thing.

For its part, Google doesn’t allow apps that behave this way in its app store.

In 2013 it removed adblockers. including Adblock Plus, from the Play Store, for the sin of interfering with other apps’ functionality.

Been Choice cofounder Dave Yoon emailed this statement to Business Insider:

They are enforcing end-to-end encryption for their apps. We explained to them that (1) we were unpacking the data stream for the sole purpose of removing ads from the following apps: Facebook, Yahoo, Yahoo Finance, Google, Pinterest — and only in Block Mode. (2) No data from any other app was touched. And (3) that we were explicit in our app and on our website, and in our presentations to the press about what we were doing, and for what purpose, with what special safeguards.

We will remove this capability to block ads in Facebook, Yahoo, Yahoo Finance, Google, and Pinterest tonight and resubmit tomorrow morning for expedited approval. The ad and tracker blocking in other apps will not be impacted. We asked for explicit guidance on blocking ads in Apple News (not covered in the above requirement), and our contact at Apple would not give us a ruling. So we will submit a version that will continue to block iAds and see if we can get back on.

The core proposition of our app, Choice, to enable users to better control their privacy and own the value of their own data, remains extremely relevant. And the new app will still present the most powerful ad and tracker blocking tool, and offer real choice to users.

While the apps have been scrubbed from the App Store, they’re still on the iPhones and iPads of the users who’d already downloaded them.

Apple reportedly said that it would publish a support page with instructions on how to remove the apps.

For those worried about apps that may have installed root certificates on their devices, here’s how to check and remove them from an iPhone or iPad:

  1. Go to Settings > General > Profile
  2. Tap on the profile you want to delete
  3. Tap Delete profile
  4. Enter your PIN
  5. Tap Delete to confirm

Image of Apple logo courtesy of Lester Balajadia / Shutterstock.com

3 Comments

Do any other ad-blockers or anti-trackers install certificates, in Windows for instance? AdBlock Plus? UBlock Origin? Ghostery? Anything? I don’t use Facebook or Apple so didn’t know about this aspect of such software.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?