An iOS Tor Browser hosted for download on Apple’s notoriously restrictive App Store is reportedly a fake. Worse yet, not only is the application said to be illegitimate, but also allegedly malicious.

According to a support ticket opened by a Tor Project volunteer operating under the handle Phobos, this iOS Tor Browser in the App Store is “full of adware and spyware.”

Threatpost reached out to the Tor Project’s Runa Sandvik and asked of there was any way to confirm that the app did indeed contain adware and spyware.

“Yes, but that would involve using the app and analyzing what it does,” Sandvik responded. “One could also attempt to reverse engineer it.”

Phobos submitted a complaint with Apple regarding the application on Dec. 26. Apple responded shortly thereafter, saying they would give the app’s developer a chance to defend the app. Since that time, more than three months ago, it seems there has been no further response from Apple. As far as we can tell, the malicious application remains available for download.

As recently as six weeks ago, Phobos indicated on the ticket that they would attempt to contact Apple again.

“Maybe we need to bypass their process, since it’s been weeks and they’re still putting users at risk?” chimed in another user on the ticket. “Or said another way, when do we start involving our personal contacts at Apple? And when do we start making a public fuss?”

The time for a public fuss apparently came yesterday:

“I think naming and shaming is now in order,” a third user said on the ticket. “Apple has been putting users at risk for months now.”

Following that, a number of prominent Tor advocates spoke up about the issue on Twitter.

It probably goes without saying that adware and spyware really undercut the efficacy of an application with the stated purpose of “empowering other apps to use the Internet more securely” and helping users “defend against a form of network surveillance that threatens the personal freedom and privacy.”

Much more seriously, the Tor Network provides cover for a wide spectrum of users – from activists to cybercriminals – who can’t afford to have their traffic monitored. In the most extreme cases, the traffic anonymization service that Tor provides is the only thing standing between an individual and persecution or even prosecution.

If you believe you need or just want to anonymize your Web surfing – for whatever reason – the best option is to download the Tor Browser Bundle directly from the Tor Project website.

Categories: Malware, Mobile Security