Apple Pulls Fake Tor Browser After Media and Security Attention

| News

Apple pulled a fake Tor browser called "Tor Browser" from the App Store on Thursday, a move that took almost three months of notifications from the Tor project, plus a little more than a day of media and security attention. This app was written and submitted by someone not affiliated with the Tor project at all, and reported to the Tor Project itself to be laden with adware/spyware.

As an added bonus, it hung out in the iTunes store for months, even though it was reported to them in late December (and has been reported since). There were a number of articles published Wednesday pointing out that "Tor Browser" was still for sale, and that it was a bogus app to be avoided. It was pulled from the iTunes store earlier today.

Fake Tor Browser: Officially Denied! 

Ars Technica reported Wednesday there weren't a lot of downloads, and that so far nobody reported any sort of malicious outcome after installing it. However, this certainly seems like a big black eye for the iTunes Store, which has been known to put people through all manner of rigamarole in order to get apps approved.

If you are interested in a Tor browser, there is one available, called Onion Browser for 99 cents (US). It is not affiliated with or endorsed by the Tor Project, but by being open source at least it's code that can be reviewed and held accountable if it were to serve up spyware. And since it appears that concern over personal data is only going to grow, this is a good example of the first thing necessary for security: awareness. After all, knowing is half the battle.

The Mac Observer Spin The Mac Observer Spin is how we show you what our authors think about a news story at quick glance. Read More →

This was surprising news on several fronts. First, it was odd the app remained available in the App Store as long as it did after multiple reports to Apple. And let's take a moment to review the story here: It was in the store, reported to Apple as fake, remained in the store, got some media attention, and then disappeared.  Also, it managed to make it through the review process, which is peculiar considering the apps that don't make the cut, I know a fair number of devs who have had a much harder time of it for their legit apps.

Perhaps more importantly, if you're getting attention in security circles for this, it can be the kind of thing that casts a really long shadow over the "walled garden means no bad stuff" reputation Apple has tried really hard to build and that Apple users have come to rely on.

Compare this to Android: when I got my Nexus 7 and asked what apps were recommended, virtually everyone who replied included an antivirus app. Something I enjoy about iOS is that I don't have to set up McAffee or anything when I get a new device, I can just start using it. I want to continue skipping that step so I hope this is an opportunity for Apple to revisit the mysterious Rejection Reasons.

Popular TMO Stories

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Lee Dronick

What is Tor? Yes, I know that it is a browser, but what are its advangages, features?

Lee Dronick

Okay, I looked it up. Anonymous web browsing.

Graham McKay

No matter how high the wall is of a walled garden some rats will still get in. I note to my clients that the iOS & Mac App Stores are far far less likely to have malware but they should still read reviews & ratings of any app (and maybe also visit the developer’s website) before buying/downloading.

Any security setup should have multiple layers and this is the case for iOS where sandboxing blocks (mostly) any inter-app data stealing so installed malware is less likely to cause disaster.

daemon

TOR is not a browser, it’s a virtual routing network, hence the name “The Onion Router.” It works by using encryption layers that tell each node where to send the packet to next, the node doesn’t know where it came from, just where it needs to send it next. This routing makes anonymous web browsing practically available. However, there’s still the entire argument that each computer’s exposed resources is enough to track individual computer’s usage across multiple domains, regardless what anonymizing steps are taken.

Log-in to comment