Apple draws cloudy line on use of root certs in mobile apps

Last week's removal of several apps from Apple's store leaves questions over the use of root certs

Apple's removal of several apps from its mobile store on Thursday shows the challenges iOS developers can face when app guidelines shift.

Among the apps removed was Choice, developed by the Palo Alto-based company Been. The app interrupted encrypted traffic streams sent to a handful of companies, including Facebook, Google, Yahoo and Pinterest, in order to block in-app ads.

Apple said the apps, which it did not name, used root digital certificates that could expose data to untrusted sources.

David Yoon, Been's co-founder, said in a phone interview Sunday that his company immediately updated Choice in order to remove the root certificate from users' devices.

Yoon said he is awaiting approval of a modified version of Choice that has been submitted to Apple.

Apple approved Choice in June when it debuted with a root certificate, which the company does not forbid. Otherwise, it would not be possible for vendors like Choice to offer VPN services on Apple mobile devices.

Root certificates are not a security issue per se, but they do allow an app to initiate a new encrypted connection with a Web service and then view the traffic using its private key.

Choice used its root cert to gain visibility on Facebook, for example, which encrypts both its content and in-app ads with SSL/TLS (Secure Socket Layer/Transport Security Layer) encryption.

Choice can also block ads and third-party tracking mechanisms on any service that does not use SSL/TLS.

But many technology companies are moving to fully encrypted services, with both content and ads delivered over SSL/TLS. The move was prompted in part by extensive data gathering by U.S. spy agencies revealed by NSA leaker Edward Snowden.

Yoon said his company fully disclosed to users how it was blocking ads within a few SSL/TLS protected services and did not retain any traffic from users' devices. But he acknowledged Apple's public justification for removing Choice.

"To be fair, to get rid of the root cert is safer, but we didn't think we were being unsafe," Yoon said.

Still, Yoon said it's unclear  what kind of use cases of root certs would not be allowed in apps.

Yoon said his company has a small but growing following. More than 10,000 people had downloaded Choice, which has a business plan that goes beyond blocking ads and third-party trackers.

Choice has an "Earn" mode in which no ads at all are filtered out. In that mode, the plan is for Choice to collect some data -- such as what apps a person uses at what specific times -- which Been can monetize.

Yoon emphasized that users would be fully informed about the data the company collects and have to opt-in to the program.

The problem Yoon said he is aiming to solve is that users' online behavior is being widely tracked now by a variety of companies and advertising networks without their consent or compensation.

Earn intends to pay users for the data they give to Choice, a value exchange that doesn't exist in the online advertising market now, Yoon said.

"Your navigation across your phone is what's interesting to us," Yoon said. "You're giving it away for free, let us pay you for it. Or, don't let us see it."

If people use Earn for a day, they get 1,000 points. After 30 days and 30,000 points, they'd get US$20, for example, Yoon said.

If only a small number of people opted into Earn, Been would be able to create sample-based inferences that might be useful to other parties, similar to how Gallup and Nielsen work, Yoon said.

It's still early days for Been, which is a small, self-funded company. Yoon said it is just he a co-founder, Sang Shin, and three or four part-time employees.

But he's been working on Choice for a couple of years and believes over the next five years there will be growing interest in paying users directly for their data.

"We are trying to make data more expensive for people so you can own it," he said. 

Join the CSO newsletter!

Error: Please check your email address.

More about AppleApple.FacebookGallupGoogleNielsenNSASocketTransportYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts