Apple draws cloudy line on use of root certs in mobile apps
- 12 October, 2015 05:28
Apple's removal of several apps from its mobile store on Thursday shows the challenges iOS developers can face when app guidelines shift.
Among the apps removed was Choice, developed by the Palo Alto-based company Been. The app interrupted encrypted traffic streams sent to a handful of companies, including Facebook, Google, Yahoo and Pinterest, in order to block in-app ads.
Apple said the apps, which it did not name, used root digital certificates that could expose data to untrusted sources.
David Yoon, Been's co-founder, said in a phone interview Sunday that his company immediately updated Choice in order to remove the root certificate from users' devices.
Yoon said he is awaiting approval of a modified version of Choice that has been submitted to Apple.
Apple approved Choice in June when it debuted with a root certificate, which the company does not forbid. Otherwise, it would not be possible for vendors like Choice to offer VPN services on Apple mobile devices.
Root certificates are not a security issue per se, but they do allow an app to initiate a new encrypted connection with a Web service and then view the traffic using its private key.
Choice used its root cert to gain visibility on Facebook, for example, which encrypts both its content and in-app ads with SSL/TLS (Secure Socket Layer/Transport Security Layer) encryption.
Choice can also block ads and third-party tracking mechanisms on any service that does not use SSL/TLS.
But many technology companies are moving to fully encrypted services, with both content and ads delivered over SSL/TLS. The move was prompted in part by extensive data gathering by U.S. spy agencies revealed by NSA leaker Edward Snowden.
Yoon said his company fully disclosed to users how it was blocking ads within a few SSL/TLS protected services and did not retain any traffic from users' devices. But he acknowledged Apple's public justification for removing Choice.
"To be fair, to get rid of the root cert is safer, but we didn't think we were being unsafe," Yoon said.
Still, Yoon said it's unclear what kind of use cases of root certs would not be allowed in apps.
Yoon said his company has a small but growing following. More than 10,000 people had downloaded Choice, which has a business plan that goes beyond blocking ads and third-party trackers.
Choice has an "Earn" mode in which no ads at all are filtered out. In that mode, the plan is for Choice to collect some data -- such as what apps a person uses at what specific times -- which Been can monetize.
Yoon emphasized that users would be fully informed about the data the company collects and have to opt-in to the program.
The problem Yoon said he is aiming to solve is that users' online behavior is being widely tracked now by a variety of companies and advertising networks without their consent or compensation.
Earn intends to pay users for the data they give to Choice, a value exchange that doesn't exist in the online advertising market now, Yoon said.
"Your navigation across your phone is what's interesting to us," Yoon said. "You're giving it away for free, let us pay you for it. Or, don't let us see it."
If people use Earn for a day, they get 1,000 points. After 30 days and 30,000 points, they'd get US$20, for example, Yoon said.
If only a small number of people opted into Earn, Been would be able to create sample-based inferences that might be useful to other parties, similar to how Gallup and Nielsen work, Yoon said.
It's still early days for Been, which is a small, self-funded company. Yoon said it is just he a co-founder, Sang Shin, and three or four part-time employees.
But he's been working on Choice for a couple of years and believes over the next five years there will be growing interest in paying users directly for their data.
"We are trying to make data more expensive for people so you can own it," he said.