App Store removes VPN-based ad blockers over privacy concerns
- okt
- 09
VPN profile apps don't just block ads, they deeply inspect all your traffic, even private and secure traffic.
While Apple has provided a mechanism to create safe, private content blocking extensions for Safari on iPhone and iPad, in the last few days apps have taken it a step further, installing root certificates in order to block ads inside apps as well.
The problem with these blocker apps is that they work by installing VPN profiles, which means they intermediate secure connections and "see" all your private internet traffic. They are, essentially, a voluntary person-in-the-middle attack. For that reason, Apple is removing them from the App Store. Here's the statement Apple provided me:
"Apple is deeply committed to protecting customer privacy and security," an Apple spokesperson told iMore. "We've removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions. We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk."
I was surprised the VPN profile-based ad blocking apps were approved to begin with. Marketing a VPN is one thing. It's crystal clear what it is what's happening when you use it. Marketing an in-app ad blocker that happens to work through a VPN isn't so clear. People may really want the former and not understand the consequences of the latter.
In other words, deep packet inspection of everything done on the internet by the ad-blocking app, even secure financial transactions and communications, on their servers and any servers involved in their chain, and in a way that's not easily toggled on or off.
Again, Apple is still allowing VPN apps on the store. iOS 9 introduced new network extensions for both personal and corporate VPNs. They're just not allowing ad-blockers based on VPN profiles.
There will no doubt be complaints from people who think they want these apps and these types of services, and from developers who make the apps. But the potential risk of abuse is simply too high.
Some will also question Apple's choice in allowing content-blockers for Safari but not for apps. The difference is that the WebKit/Safari team spent time creating a private, secure way to block content in Safari that doesn't allow the blocker to do any tracking of its own. They're precompiled and at no point to they get to see what you're doing or where you're doing it.
While Apple has done things like ban the use of cross-app tracking through mechanisms like UDID, there's not yet a similarly private, secure way to block content in apps.
Unless and until that changes, allowing these VPN profile-based content blockers in the App Store goes against Apple's privacy and security policies, which the company has made a major, top-down, front-facing feature of the platform.
