Microsoft and Mozilla have taken strict against a certificate authority that has been accused of having close ties to a US military contractor that paid software developers allegedly to embed data-harvesting malware in mobile apps.
The CA, TrustCor, has refuted the allegations. However, Mozilla program manager Kathleen Wilson said the org's concerns were "substantiated" to set a distrust date of November 30 for TrustCor's root certificates.
TrustCor executive Rachel McPherson said Microsoft had set a distrust date of November 1 for her company's certs.
"Microsoft gave us no advance notice of this decision," McPherson said.
"We have never been accused of, and there is no evidence to suggest that TrustCor violated conduct, policy, or procedure, or wrongfully issued trusted certificates, or worked with others to do so. We have not done any of those things."
Apple said the findings "lend themselves to reasonable doubt about [TrustCor's] ability to operate as a publicly trusted CA."
Early this year, data-harvesting malware was discovered by University of Calgary professor and AppCensus co-founder Joel Reardon in a collection of Android apps (including a speed camera radar, Muslim prayer apps, QR scanner, weather app, and more) that had been downloaded more than 46 million times.
Reardon emphasized that he had "no evidence that Trustcor has done anything wrong" or "has been anything other than a diligent competent certificate authority."
However, he added: "Were Trustcor simply an email service that misrepresented their claims of E2E encryption and had some connections to lawful intercept defense contractors, I would not raise a concern in this venue. But because it is a root certificate authority on billions of devices – including mine – I feel it is reasonable to have an explanation," Reardon said on the public discussion board.