"Apple has removed a few apps from the App Store that install root certificates that could allow monitoring of data," company officials wrote in an advisory posted Friday. "This monitoring could be used to compromise SSL/TLS security solutions. If you have one of these apps installed on your device, delete both the app and its associated configuration profile to make sure your data remains protected."
Apple representatives didn't respond to an e-mail seeking the names of the offending apps and an explanation of why they weren't identified. This post will be updated if they reply later.
According to a message on Twitter from the developer of an app called Been Choice, the ad-blocking app was recently removed from the App Store. The tweet didn't say why Been Choice was being pulled, but it went on to say, "We'll remove ad blocking for FB, Google, Yahoo, and Pinterest apps." Presumably, the app was able to strip the ads in those apps by using a root certificate to decrypt thetransport layer security-encrypted traffic passing between servers and devices that had Been Choice installed.
Remember Superfish?
Apple's admission that its App Store hosted apps that installed such root certificates almost certainly exposes a hole in the company's security vetting process. It's also problematic that Apple has yet to name any of the risky apps it pulled. Apple is right in advising users to uninstall them, but not identifying them by name makes it unnecessarily difficult for customers to heed the recommendation. In fairness, the company indicated that the offending apps were limited to a "few." Considering the App Store has been in operation for seven years, that's not a bad track record.
Apple's advisory provides instructions for uninstalling the apps and deleting their associated configuration profiles. Now, users just need to know what apps besides Been Choice should get that treatment.