Apple draws cloudy line on use of root certs in mobile apps
- 9 years ago
Apple's removal of several apps from its mobile store on Thursday shows the challenges iOS developers can face when app guidelines shift.
Apple said the apps, which it did not name, used root digital certificates that could expose data to untrusted sources.
Root certificates are not a security issue per se, but they do allow an app to initiate a new encrypted connection with a Web service and then view the traffic using its private key.
But many technology companies are moving to fully encrypted services, with both content and ads delivered over SSL/TLS.
The move was prompted in part by extensive data gathering by U.S. spy agencies revealed by NSA leaker Edward Snowden.
Apple said the apps, which it did not name, used root digital certificates that could expose data to untrusted sources.
Root certificates are not a security issue per se, but they do allow an app to initiate a new encrypted connection with a Web service and then view the traffic using its private key.
But many technology companies are moving to fully encrypted services, with both content and ads delivered over SSL/TLS.
The move was prompted in part by extensive data gathering by U.S. spy agencies revealed by NSA leaker Edward Snowden.