Apple borks Apple News ad-blocking app due to 'privacy concerns' Apple has confirmed having removed "a few apps" from the App Store, including Been® Choice - which blocked advertisements even within the native Apple News app - over what it claims are privacy concerns. The approval of Been Choice came as a surprise to many as it allowed users to circumvent Apple's own profitable advertising …
That's not the issue at all. You are perfectly at liberty to obtain root certificates from a variety of sources and install them on an iPhone. The potential problem here was an app-in-the-middle scenario, where use of a content blocker app could make use of a VPN without the user's explicit knowledge.
"the apps were installing root certificates"
That is a Big Fucking Deal and rightful that they have been pulled. If you can get a CA on the device and get it to proxy or fake a logon screen (such as throwing up a 'sign in to iCloud!' box), you can MITM any traffic and decrypt SSL to get logon details including encrypted passwords.
But go ahead El Reg - spin it like Apple are the bad guys here like you usually do.
Apple explicitly allows apps to provide root certificates. That's the mechanism this app was taking advantage of. The OS segues to an OS-provided set of dialogues requiring the user explicitly to confirm the installation. There's nothing surreptitious, no silent or drive-by install. Which puts Apple on the other side of the debate about what informed users should be allowed to do than it usually sits but no doubt is required by some big corporate user somewhere.
For this app it sounds like they offer a VPN that fishes through everything you request in order to remove advertising. The certificate is then necessary explicitly so that they can be the man-in-the-middle for HTTPS traffic like Google and Facebook.
I think it's not something I'd want on my phone but it sounds like a third party is being punished for Apple's attempts to support business while providing its own brand of consumer protection?
No a third party is not "being punished", Apple is preventing them from inserting itself MITM because just because the app developer is using it only to block ads, or so they claim, they could easily use this capability to do more.
They told them exactly what needed to be changed and promised them expedited review. What more should they do?
Google doesn't even allow the ad blocking apps in the Play Store at all, if anyone should be criticized it is them!
IF Apple are concerned about security then it is correct that they explain the potential dangers to users. If they have grounds to believe that the public will fail to understand those risks then, sure, pull all domestic apps that install root certificates.
IF Apple respect privacy, then give developers tools that not only allow them to block adverts in Safari (already done) but that also allow them to block adverts in apps (including iAds).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
