Apple Cracking Down on VPN-Based Ad Blockers That Work in Third-Party Apps
Jul 14, 2017 4:57 pm PDT by Juli Clover
It appears Apple may be cracking down on some VPN-based ad blockers that are designed to block ads in third-party apps, based on a recent interaction iOS developer Tomasz Koperski had with Apple's App Store review team.

Koperski is the CTO of Future Mind, a software company that produces AdBlock, Weblock, and Admosphere, three ad blocking apps. When submitting an update for AdBlock for iOS, a VPN-based ad blocking app, it was rejected.


Upon appeal to the App Review Board, Koperski was told Apple is no longer allowing VPN/root certificate-based ad blockers on the App Store and will not be accepting updates of existing ad blockers that use those techniques going forward. According to Apple, Future Mind's AdBlock app violates section 4.2 of the App Store Review Guidelines, which dictates that apps must be useful, unique, and "app-like."

Specifically, the app violated section 4.2.1, which says "Apps should use APIs and frameworks for their intended purposes and should indicate that integration in their app description," and to get even more specific, Future Mind was told the update was rejected because "Your app uses a VPN profile or root certificate to block ads or other content in a third-party app, which is not allowed on the App Store."

Koperski was told that Safari content blockers, introduced in iOS 9, will be the only Apple-supported ad blockers going forward, and those ad blockers are limited to use in the Safari web browser.
After submitting an appeal to the App Review Board, a member of the Review Team contacted me directly via phone and informed that Apple has officially changed their policy regarding VPN/root certificate based ad blockers on the App Store and is no longer accepting updates of apps, which directly block content in third party apps. The only officially allowed ad blocking method is now Safari Content Blockers.
Koperski says that the change marks a major shift in Apple's ad blocking policy, as Future Mind has had its ad blocking products in the App Store for the past five years. AdBlock, the app that Apple rejected, has been available for purchase since 2014, and it was one of the first VPN-based ad blockers able to block ads in all apps locally on both Wi-Fi and Cellular.

There are dozens of similar ad blocking apps available in the App Store at the current time, some that were updated as recently as June. It's not clear why Apple has changed its policy after so many years, but many apps, including native apps like Apple News, feature ads as a way to monetize.

Apple has recently undertaken a major overhaul of the App Store, eliminating clone apps, outdated apps, and more, so it's possible this new crackdown is a part of that effort. Since late 2015, Apple marketing chief Phil Schiller has been overseeing the App Store and has enacted some significant changes.

Future Mind was told the AdBlock app could be updated if it switches from ad blocking via VPN to the Safari Content Blocker, but the company is worried about upsetting customers who paid for the ability to block ads in both Safari and in apps. The company has not yet decided what to do and is mulling several possible choices, including leaving the app as is, expanding existing functionality into a VPN service, or transitioning to a Safari-only blocker.

Top Rated Comments

(View all)

12 months ago
Ad blocking using a VPN, and worse, root certificates, sounds like a potential security nightmare waiting to happen, and I can 100% see why Apple would ban them from the store.

With a third party root certificate installed, this app can intercept your banking information or pretty much anything you do online.
Rating: 47 Votes
12 months ago
Everyone knows that ad blockers are the result of overly aggressive advertisers annoying the hell out of a customer. If we choose to block their ads, there's a damn good reason for it. They need to learn how to appropriately advertise instead of harass, annoy, and trick the user into clicking on their ad. When I can't read web pages, particularly on mobile, because there is an advertisement every inch, it is way out of control. And we passed that red line long ago.

I should have a right to block all those annoyances if I choose to do so. Advertisers: grow up. Learn to advertise so you attract customers, not piss them off. Then maybe we won't block you.
Rating: 36 Votes
12 months ago
Also, "Specifically, the app violated section 4.2.1, which says "Apps should use APIs and frameworks for their intended purposes and should indicate that integration in their app description" is such a BS excuse from Apple.

Apple just gave an Apple Design award to Black Box in June, which is a game that makes use of essentially every single API of the phone as a manner of progressing through the puzzles, and I'm pretty sure turning Airplane mode on and adjusting your volume to solve a puzzle isn't using those APIs "for their intended purposes."

Apple literally praised them for using the APIs in novel ways in their Design Award announcement... https://developer.apple.com/design/awards/#blackbox

"Additionally, by using CoreAudio, CoreLocation, Core Telephony, AVCaptureSession, iCloud, and GameCenter in novel ways, this app takes advantage of an enormous range of iOS technologies."

So it really isn't about AdBlockers using the APIs in unexpected ways. It's that they don't want you to block advertisements
Rating: 31 Votes
12 months ago
Seriously, middle finger emoji

Better stop auto updates so i can keep adguard
Rating: 17 Votes
12 months ago
This is crazy. So many apps have gone overboard with annoying, interpreting ads. I hope some vpn service will start offering reliable ad blocking.
Rating: 14 Votes
12 months ago
Disappointed to see this.

If I am not mistaken, Adguard Pro has a VPN option, that allows ones to block ads in third party apps. I have been using it and really like it. I need to make sure to download the app and others like it, so that I will have access to them.
Rating: 14 Votes
12 months ago
I wonder why do people repeat that VPN/root certificate security point all the time?

These apps aren't real VPNs, your traffic is not being sent anywhere, and there is no root certificate installed.

Also, the update from Apple ('https://forums.macrumors.com/threads/apple-cracking-down-on-vpn-based-ad-blockers-that-work-in-third-party-apps.2056730/page-6#post-24803812') clearly indicates, that the problem is not in the techniques used to block ads and tracking, but in the blocking itself.
Rating: 13 Votes
12 months ago

Ad blocking using a VPN, and worse, root certificates, sounds like a potential security nightmare waiting to happen, and I can 100% see why Apple would ban them from the store.

With a third party root certificate installed, this app can intercept your banking information or pretty much anything you do online.


It does not install root certificate. There's even no actual VPN server on the other side. Blocking happens right on the device. Have a look at the app descr.
[doublepost=1500081438][/doublepost]

This isn't really possible without compromising your security. Apple requires apps to use encrypted network connections for most purposes ("App Transport Security"). In order to block ads in an app, the VPN would have to break the encryption, since otherwise it couldn't recognize and remove the ads. This is why the ad blocker apps mentioned in the article install additional certificates, which basically allow them to run a man-in-the-middle attack. Of course, these methods can just as well be used to sniff the traffic of your banking apps ...


Just to clarify - it's not true. Ad blocking happens on the DNS/domain level right on the device. There is no VPN server on the other side of the tunnel, so no sensitive data is sent out. AdBlock doesn't install root certificates.
Rating: 13 Votes
12 months ago

Ad blocking using a VPN, and worse, root certificates, sounds like a potential security nightmare waiting to happen, and I can 100% see why Apple would ban them from the store.

With a third party root certificate installed, this app can intercept your banking information or pretty much anything you do online.


This right here is exactly why it these apps are being pulled. I'm just surprised it took long before Apple started rejecting them.
Rating: 13 Votes
12 months ago

Ad blocking using a VPN, and worse, root certificates, sounds like a potential security nightmare waiting to happen, and I can 100% see why Apple would ban them from the store.

With a third party root certificate installed, this app can intercept your banking information or pretty much anything you do online.


That's not how the good ones work. Adguard Pro, for example.

This isn't really possible without compromising your security. Apple requires apps to use encrypted network connections for most purposes ("App Transport Security"). In order to block ads in an app, the VPN would have to break the encryption, since otherwise it couldn't recognize and remove the ads. This is why the ad blocker apps mentioned in the article install additional certificates, which basically allow them to run a man-in-the-middle attack. Of course, these methods can just as well be used to sniff the traffic of your banking apps ...


No, it doesn't. But even if you don't believe me, it's a lot easier to pick on VPN company to research and investigate than having to trust every single app on your phone regarding what analytics info it's collecting and selling about you.

I actually have no issue with Apple moving to ensure ads are blocked only in safari rather than apps. If you buy an app that has ads you know what your getting yourself into.

Agreed, however there is a difference between an ad online and an ad in an app. I hate ads as much as the next guy, but ads in free apps shouldn't be blocked, and in that sense I am fine with Apple restricting adblockers to safari only.

If you hate ads in an app you can find another app that has no ads (generally paid).


It's not just the ads, it's analytics collection and monetization of users without disclosure. Apps often connect to a dozen or more analytics frameworks with the vaguest of disclosures.

Good riddance.
It's hard enough try to make a living from writing Apps without some cretin offering a way of blocking one of your revenue sources.
Everyone wants everything for free, including ad free.
It's this selfish mind set that prevents funding and incentivising the creation of goods apps.


It's the devs who are shooting themselves in the foot by selling out their users for a few cents to analytics warehouses. If an app just want to *show* an ad, I'm fine with that, even if it's a big one. But none of them stop there. Every ad is passing info back about you, your device, location, IP address, browsing habits etc. to the analytics flavor of the month. With all of that data eventually making into a handful of aggregators who know more about us than our own family.

So, yes, devs that are ok with that do need to admit that they really don't give a damn about their users.
Rating: 12 Votes

[ Read All Comments ]
Newer Article Older Article