Apple has pulled several apps out of its store over SSL/TLS security concerns.
The apps are installing root CA certificates into unsuspecting mobile devices, which then enables traffic to be intercepted, unknown to users. Apple didn’t say which iPad and iPhone apps had been taken down, but ad blockers in particular use root certificates, and since Apple added support for them in its latest iOS release, several have appeared in the App Store.
"This is a serious issue,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, in an emailed comment. “Installing a root CA certificate on any device circumvents the fundamental foundation of online security. CAs undergo heavy vetting and auditing—any app that installs a CA certificate poses a huge threat. No app should be installing its own CA certificate—only when an enterprise needs to authorize traffic inspection should any device accept a new CA certificate.”
Regulators like the FTC have pointed out the issues regarding the security of certificates on mobile devices and in apps: Fandango and Kredit Karma for instance have been criticized because they were not validating certificates in their mobile apps. That opens the door for a hacker to divert traffic from those apps and capture personal information and credit card data.
“While today’s mobile platforms are harder to crack and exploit, abusing or misusing the trust in CAs and certificates is a ripe opportunity for exploit,” Bocek added. “The OnStar hack to lock/unlock and start/stop GM cars was possible because the GM app did not properly validate security certificates. These developments are why new methods of security—like certificate reputation—that can evaluate if a CA or TLS certificate deserves to be trusted are increasingly becoming popular.”