Apple Boots 256 Privacy-Infringing Apps from Its App Store

Apple has removed over 250 applications from its App Store after the discovery of a third-party advertising software development kit (SDK) that actively gathered App Store bannerusers’ personal and device data.

Security research firm SourceDNA’s discovery of hundreds of applications in the iOS store that were siphoning user’s information such as email addresses and more — in a direct violation of Apple’s policies – has resulted in Apple removing the applications from the App Store.

This is the second major malware breakout affecting the App Store despite its supremely careful vetting process after the recent incident with XcodeGhost.

Speaking to ArsTechnica, Nate Lawson, founder of SourceDNA notes:

This is the first time we’ve found apps live in the App Store that are violating user privacy by pulling data from private APIs. This is actually an obfuscated toolkit for extracting as much private information as it can. It’s definitely the kind of stuff that Apple should have caught.

The Youmi SDK

Estimates peg the 256 apps to be downloaded over a million times already. Most of the apps are from Chinese-based developers, all of whom who used an advertising SDK called Youmi. Unbeknownst to them, Youmi contains code that allows any applications developed with the SDK to siphon user data to upload it to servers owned by Youmi.

Research firm SourceDNA uncovered that older applications running previous versions of Youmi’s SDK do not call private APIs. However, Youmi’s developers in the past year have experimented with the feature and having gotten through the strict App Review process, released more versions of the SDK which started gathering information such as:

  • The list of applications running on the iPhone or the iPad.
  • The platform serial number of the iOS device.
  • A list of hardware components on devices that are running newer versions of iOS along with the serial numbers of the peripherals.
  • The user’s Apple ID.

While the applications were not named, it is important to note that Youmi’s developers or management did not reveal any data-gathering habits to the developers of other applications adopting the SDK. Lawson revealed one application, McDonald’s iOS app in China that collected user data without the users’ nor the fast-food company’s knowledge.

Apple released a statement addressing the situation and has confirmed that applications with Youmi’s SDK have been removed.

“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server.”

This is a violation of our security and privacy guidelines.

Furthermore, Apple has also stated that the company is working with developers to help get their applications updated to a version that does not make use of the Youmi SDK.

Images from Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.