The Tor development team has been reporting to Apple that a fake and probably malicious Tor Browser App is available on the iOS App Store for months. Unsuccessful at convincing the Apple folks, the App is still available today, Yikes!
Last Wednesday, Tor Project team member Runa A. Sandvik decided to announce it on Twitter as an attempt get a reaction from the Apple team. The tweet was directly addressed to them, requesting to take off the fake Tor Browser from the App store.
Historical tracked records from when the issue was discovered can be found on the Tor Project bug tracker. The first comment entry indeed states a filed complaint with Apple on December 26th, 2013. Apple responded a few days later stating they would now give a chance for the author to defending his or her app. Time passed and until now, Tor patiently waited while sending more follow-up emails until lately, when a call for “naming and shaming” of Apple employees was made.
Tor Project, obviously angry at Apple’s unwillingness to remove fake copy of Tor Browser, took additional action. Tor Project Leader Roger Dingledine announced Wednesday that he mailed Window Snyder and Jon Callas, both security expert advisors at Apple, to take action. Failure to do so has been, and is still possibly, endangering iOS Tor users. As reported on the bug tracker, Plan C will be to call out high profile Apple figures on Twitter, demanding an answer as to why they would let their users be exposed to malware for such a long period of time.
Anyone who has downloaded the following Tor Browser Bundle from a developer by the name of Ronen from the App Store, should likely remove it right away. Until more information is brought up, it is hard to say what kind of vulnerabilities could have been taken advantage of. As security freaks, we highly suggest to flash the phone completely, removing any remaining possible files or malware, if you want to be certain, it may be overkill, but we like it that way.
Apple has not yet commented on the issue.
If you’re looking for a cheap and quick VPN solution, check out our article here.