Apple has removed several apps from the official iOS App Store

Apple has removed mobile apps from the iOS Apple store that are installing root CA certificates that enable traffic to be intercepted.

Apple has pulled several apps out from the official iOS App Store over SSL/TLS security concerns, this means that the security issues could allow threat actors to compromise encrypted connections between the servers and the mobile devices and monitor users’ data.

“We have removed a “few” apps from the iOS App Store that could install root certificates and allow monitoring your data.” Apple states in an officially advisory.

The mobile apps removed from the Apple store are installing root CA certificates that enable traffic to be intercepted without the user’s knowledge. Any app that installs a CA certificate represents a serious threat to users’ privacy, the practice is used by hacker to hijack traffic and syphon user’s credentials, personal information and credit card data.

apple

Apple hasn’t disclosed the name of the apps that had been pulled off the store, but it is known that ad blockers are among those applications that make use root certificates.

“While today’s mobile platforms are harder to crack and exploit, abusing or misusing the trust in CAs and certificates is a ripe opportunity for exploit,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “The OnStar hack to lock/unlock and start/stop GM cars was possible because the GM app did not properly validate security certificates. These developments are why new methods of security—like certificate reputation—that can evaluate if a CA or TLS certificate deserves to be trusted are increasingly becoming popular.”

Apple is giving instructions for “How to delete an app that has a configuration profile on your iPhone, iPad, or iPod touch,” on the official support page.

To remove an app and its configuration profile, follow the steps provided by Apple.

  1. Delete the App.
    • Tap and hold on the app until it jiggles.
    • Then tap  in the upper-left corner of the app to delete it. If you see a message that says, “Deleting [app name] will also delete all of its data,” tap Delete.
  2. Delete the configuration profile that came with the app.
    • Go to Settings > General > Profile, tap on the app’s configuration profile.
    • Then tap Delete Profile. If asked, enter your device passcode, then tap Delete.
  3. Restart your iPhone, iPad, or iPod touch.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X