Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Apple draws cloudy line on use of root certs in mobile apps

Jeremy Kirk | Oct. 12, 2015
Last week's removal of several apps from Apple's store leaves questions over the use of root certs.

Apple
The Apple logo on one of the company's stores. Credit: Martyn Williams

Apple's removal of several apps from its mobile store on Thursday shows the challenges iOS developers can face when app guidelines shift.

Among the apps removed was Choice, developed by the Palo Alto-based company Been. The app interrupted encrypted traffic streams sent to a handful of companies, including Facebook, Google, Yahoo and Pinterest, in order to block in-app ads.

Apple said the apps, which it did not name, used root digital certificates that could expose data to untrusted sources.

David Yoon, Been's co-founder, said in a phone interview Sunday that his company immediately updated Choice in order to remove the root certificate from users' devices.

Yoon said he is awaiting approval of a modified version of Choice that has been submitted to Apple.

Apple approved Choice in June when it debuted with a root certificate, which the company does not forbid. Otherwise, it would not be possible for vendors like Choice to offer VPN services on Apple mobile devices.

Root certificates are not a security issue per se, but they do allow an app to initiate a new encrypted connection with a Web service and then view the traffic using its private key.

Choice used its root cert to gain visibility on Facebook, for example, which encrypts both its content and in-app ads with SSL/TLS (Secure Socket Layer/Transport Security Layer) encryption.

Choice can also block ads and third-party tracking mechanisms on any service that does not use SSL/TLS.

But many technology companies are moving to fully encrypted services, with both content and ads delivered over SSL/TLS. The move was prompted in part by extensive data gathering by U.S. spy agencies revealed by NSA leaker Edward Snowden.

Yoon said his company fully disclosed to users how it was blocking ads within a few SSL/TLS protected services and did not retain any traffic from users' devices. But he acknowledged Apple's public justification for removing Choice.

"To be fair, to get rid of the root cert is safer, but we didn't think we were being unsafe," Yoon said.

Still, Yoon said it's unclear  what kind of use cases of root certs would not be allowed in apps.

Yoon said his company has a small but growing following. More than 10,000 people had downloaded Choice, which has a business plan that goes beyond blocking ads and third-party trackers.

Choice has an "Earn" mode in which no ads at all are filtered out. In that mode, the plan is for Choice to collect some data -- such as what apps a person uses at what specific times -- which Been can monetize.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.