Root certificate-based apps don't just block ads, they deeply inspect all your traffic, even private and secure traffic.

While Apple has provided a mechanism to create safe, private content blocking extensions for Safari on iPhone and iPad, recently apps like Been Choice have taken it a step further, installing root certificates in order to block ads inside apps as well. The problem with that type of blocking is that it intermediates secure connections and exposes all your private internet traffic to the blocker. Essentially, it's a voluntary person-in-the-middle attack. For that reason, Apple is removing those apps from the App Store. Here's the statement Apple provided me:

"Apple is deeply committed to protecting customer privacy and security," an Apple spokesperson told iMore. "We've removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions. We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk."

I was surprised the root certificate-based ad blocking apps were approved to begin with. They perform deep packet inspection of everything done on the internet, including secure financial transactions and private communications, on the ad-blocker's servers and any servers involved in their chain, and in a way that's not easily toggled on or off.

There will no doubt be complaints from people who think they want these apps, and from developers who make the apps. But the potential risk of abuse is simply too high.

Again, this doesn't affect Safari content blockers like Crystal or Purify. Only those using root certificates. Some will question that choice as well. The difference is that the WebKit/Safari team spent time creating a private, secure way to block content in Safari—and the in-app Safari View Controller—that doesn't allow the blocker to do any tracking of its own. They're precompiled and at no point do they get to see what you're doing or where you're doing it.

There's not yet a similarly private, secure way to block content in apps. Unless and until that changes, allowing root-certificate-based content blockers in the App Store goes against Apple's privacy and security policies, which the company has made a major, top-down, front-facing feature of the platform.

Update: Been Choice has responded on twitter, saying they'll be updating to comply with Apple's policy: