Members of the Tor anonymity service are warning that a
Tor iOS app available in Apple's highly curated App Store since November is a fake that is laced with adware and spyware.
"Tor Browser in the
Apple App Store is fake," a
report ticket published two months ago on the Tor website by high-ranking volunteer Phobos stated. "It's full of adware and spyware. Two users have called to complain. We should have it removed."
The ticket went on to say that Tor officials notified Apple of the
fake Tor Browser app in December. In the intervening time, the app has remained available, touching off a series of exchanges among Tor members about how to respond. Ars was unable to confirm the claims of
adware or spyware. Still, the incident highlights the lack of transparency in the way that Apple vets the reliability of security apps and responds to complaints of rogue titles.
"Apple responded today with chance for author to defend their app," one volunteer wrote shortly after the ticket was opened. "Sent another email to appstorenotices@," Phobos replied a few weeks later.
Early Wednesday, some two months later, yet another Tor member wrote: "I think naming and shaming is now in order. Apple has been putting users at risk for months now." Another member quickly replied: "I mailed Window Snyder and Jon Callas to see if they can get us past the bureaucracy. Otherwise I guess plan C is to get high-profile people on Twitter to ask Apple why it likes harming people who care about privacy. (I hope plan B works.)"
(Window Snyder and Jon Callas are both highly respected security researchers who have worked for Apple in the past. Callas has since left the company and is an executive with Silent Circle.
Update: Snyder still works for the Cupertino company. In the past, she has worked for both
Microsoft and
Mozilla.)
Secret garden
Apple's App Store has long been referred to by critics and fans alike as a walled garden. The metaphor is used to describe the highly controlled environment of the official iOS app bazaar. Presumably, apps submitted by third-party developers are carefully scrutinized before they become available. That's in sharp contrast to the official Google Play store for Android, which is much less selective and where rogue or malicious apps regularly slip through the vetting process.
Apple has never described exactly what its process is for ensuring the titles in its App Store are safe. Although the comparatively fewer reports of rogue apps for iOS suggest that the review process is more stringent than Google's, the report ticket from Tor's high-ranking members suggests that Apple may not be doing everything it can or should do to protect iPhone and iPad users.
Fortunately, the
Tor Browser app at issue has been downloaded a relatively small number of times, and so far there are no reports one way or the other that its behavior represents a serious threat to the people who have installed it. Still, its availability raises questions about exactly what Apple does to ensure the security and authenticity of other apps it hosts on its own servers. This article will be updated if Apple officials, who are routinely silent on such matters, respond to our request for comment.