Apple has removed mobile apps from the iOS Apple store that are installing root CA certificates that enable traffic to be intercepted.
Apple has pulled several apps out from the official iOS App Store over SSL/TLS security concerns, this means that the security issues could allow threat actors to compromise encrypted connections between the servers and the mobile devices and monitor users’ data.
“We have removed a “few” apps from the iOS App Store that could install root certificates and allow monitoring your data.” Apple states in an officially advisory.
The mobile apps removed from the Apple store are installing root CA certificates that enable traffic to be intercepted without the user’s knowledge. Any app that installs a CA certificate represents a serious threat to users’ privacy, the practice is used by hacker to hijack traffic and syphon user’s credentials, personal information and credit card data.
Apple hasn’t disclosed the name of the apps that had been pulled off the store, but it is known that ad blockers are among those applications that make use root certificates.
“While today’s mobile platforms are harder to crack and exploit, abusing or misusing the trust in CAs and certificates is a ripe opportunity for exploit,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “The OnStar hack to lock/unlock and start/stop GM cars was possible because the GM app did not properly validate security certificates. These developments are why new methods of security—like certificate reputation—that can evaluate if a CA or TLS certificate deserves to be trusted are increasingly becoming popular.”
Apple is giving instructions for “How to delete an app that has a configuration profile on your iPhone, iPad, or iPod touch,” on the official support page.
To remove an app and its configuration profile, follow the steps provided by Apple.
- Delete the App.
- Tap and hold on the app until it jiggles.
- Then tap in the upper-left corner of the app to delete it. If you see a message that says, “Deleting [app name] will also delete all of its data,” tap Delete.
- Delete the configuration profile that came with the app.
- Go to Settings > General > Profile, tap on the app’s configuration profile.
- Then tap Delete Profile. If asked, enter your device passcode, then tap Delete.
- Restart your iPhone, iPad, or iPod touch.