Thursday, 20 March 2014

Malicious Tor Browser Persists in iOS App Store for Months Despite Protests [iOS Blog]

Developers working on the Tor anonymity service asked Apple months ago to remove a malicious Tor browser that poses a threat to its users from the App Store (Via Ars Technica ). After receiving no action through official channels, Tor project members now are using more public means to get this app removed.

tor-browser

A report ticket published three months ago by volunteer Phobos details the issue with rogue app.



"Tor Browser in the Apple App Store is fake. It's full of adware and spyware. Two users have called to complain. We should have it removed."



Tor officials confirmed they filed a complaint with Apple in December 2013 and received a response that the app developer was allowed to defend his app from these accusations.

Several followup emails were sent to Apple, but there was no response from the Cupertino company. Twelve weeks later and the app remains in the App Store, prompting the team to step up their campaign to get the app removed.



"I think naming and shaming is now in order. Apple has been putting users at risk for months now," writes lunar


"I mailed Window Snyder and Jon Callas to see if they can get us past the bureaucracy.


Otherwise I guess plan C is to get high-profile people on Twitter to ask Apple why it likes harming people who care about privacy. (I hope plan B works.)," writes arma.



Apple's App Store is known for being a walled garden where apps are vetted before they are allowed entry into the App Store. The process is not flawless, though, with researchers from Georgia Tech last year showing how an innocuous app with hidden malware-type code could slip through Apple's app approval system.

Once a malicious app is identified in the App Store, Apple has in the past taken steps to remove the app, but the exact process by which an app is removed is not known. In an earlier example, Apple quickly pulled a Russian SMS app that quietly scraped address book contacts and sent them to the developer's server.



No comments:

Post a Comment