It’s happened again. Apple once more has pulled some mobile ad-blockers from the iTunes iOS app store for security violations, including popular app Been Choice. These particular ad-blockers were intended to block mobile ads in stand-alone applications as well as the web, but unfortunately, the method they used to do it was indeed fraught with security hazard. The applications installed what is known as a “root certificate.”
There’s nothing wrong with the concept of a root certificate in and of itself. It does not mean that your phone has been rooted; the “root” in this case refers to the Root Certificate Authority, which is the entity that issued the certificate, and has authority to issue other Intermediate Certificate Authorities. But by installing such a thing on your phone, you’re effectively saying that you trust the people who made it, and you’re giving them the authority to examine every bit of net traffic you access from your phone—including secure financial transactions and other encrypted communication. Effectively, you’re running a man-in-the-middle attack on yourself.
While you might be willing to take that risk to get rid of annoying mobile ads, you honestly don’t have any way of knowing if the manufacturer of a given ad-blocking app is necessarily in any way trustworthy—especially if someone else decides to buy that app and repurpose it for their own not-so-salutary uses (as often happens with browser extensions). Apple has said it will be working with the manufacturers of the apps to bring them back into compliance with its security requirements. iMore notes:
There’s not yet a similarly private, secure way to block content in apps. Unless and until that changes, allowing root-certificate-based content blockers in the App Store goes against Apple’s privacy and security policies, which the company has made a major, top-down, front-facing feature of the platform.
It seems to me, though, that it should be possible to direct all of your network traffic through some kind of ad-blocking proxy like AdTrap to block the ads for you. Of course, AdTrap would only work for the specific wireless network you connect it to, but software proxies like Squid have been available for some time. I should think it would be possible to make one that would run on the iPhone, especially as fast as iPhone hardware is now. But perhaps I’m wrong about how effective that would be, or maybe some other feature of Apple’s developer agreements would prohibit it.