Apple has unleashed a new certificate revocation server called ppq.apple.com. Here’s how you can block it and keep your apps safe.
Table of Contents
What is ppq.apple.com?
Since the past few months, a lot of sideloaders have been reporting app revokes on a regular basis. Surprisingly, these certificate revocations were happening even though many users had blocked the oscp.apple.com server.
Upon further investigation, I found that a commonality that all these users share is an unblocked ppq.apple.com.
None of these users had blocked this server and this is why their apps were getting revoked left and right.
ppq.apple.com is Apple’s application verification server that also doubles up as a certificate revocations server.
Although it has been around for a long time, Apple only recently began using it for app revokes.
How ppq.apple.com works
- The user installs an application from an app installer such as AppValley or TutuApp.
- The user uses the app as long as its enterprise certificate works.
- ppq.apple.com checks the expiry status of the certificate.
- If the certificate has expired, the app gets revoked.
- The user can no longer open or use the app.
You can block it using the process explained here. Just replace oscp.apple.com with this server.
- Tutorial – How to stop App Revokes permanently
Important – Once you block it, be sure to unblock it again temporarily once you try to install a new app using enterprise certificates. Your device will need to communicate with this server to authenticate certificates. If you don’t do so, you will not be able to install new applications.
Should I block ppq.apple.com?
With jailbreak
If you running a jailbreak on your device, you should not block this server. The reason behind this is that it can cause you to lose your jailbreak, forcing you to upgrade.
A majority of jailbreak users use a powerful ad blocker like AdMissile to modify their hosts file. The modified hosts file persists even in non-jailbreak mode, resulting in a failed reinstall of the jailbreak app by sideloading.
- The user blacklists ppq.apple.com in the hosts file.
- Once the jailbreak expires, the user then tries to sideload it with Cydia Impactor.
- Cydia Impactor installs the app into the device.
- The user then tries to authenticate the app.
- Authentication fails because the device can’t reach ppq.apple.com server due to the hosts file block in place.
- Since there’s no way to modify the hosts file in non-jailbreak mode, the user will need to upgrade eventually.
Recently, a jailbreak also lost his jailbreak exactly in this manner.
Therefore, blacklisting this server on a jailbroken device is not a good idea. However, if you do want to go ahead with it, I recommend using an Ad Blocker app from the App Store only.
Without Jailbreak
You can freely block this server and other servers if you don’t have a jailbreak. Just be sure to use a decent app such AdBlocker by FutureMind and you will be good to go.
All changes you make in non-jailbreak mode are easily reversible. Even if you modify your hosts file, all changes will go away once you uninstall the ad blocker applications.
Remember, the apps you sideload with Cydia Impactor utility will be unaffected by this trick.
Did this trick work for you? If yes, leave a comment below.
For more sideloading tips and tricks, like and subscribe to us on Twitter and Facebook.
Is it permanent when i block ppq the app is not gonna expire??
What if i block both ocsp and ppq does the app still gonna expire ot its already permanent until i remove the ppq blacklist in the host file??
No, the app won’t expire then. However, if you remove them, then they will. Hope this helps.
Gotta ask what if i blocked the ppq.apple.com does that stop the app certificate to exp? Or did i just stop the revokes and the app still crash when the ent certificate expires?