Apple has found several hundreds of apps in its iOS App Store to be using a private API to collect user’s personal data and device related data through a third-party advertising SDK. Although Apple has an app approval procedure before it gets listed on the App Store, but sometimes apps just gets slip through the process undetected.
According to SourceDNA, code analytics platform, it looks like a total of 256 apps have been found collecting device and user data including Apple ID, apps installed, serial number, and the platform serial number. However, SourceDNA – who detected the issue, says that they likely did not know what was happening. There was one thing common between all these 256 apps; all of them were using the Youmi SDK. The SDK was able to obtain all the user and device related information without any prior indication or the user even being aware of what information was being collected.
All of the apps that are now gone from the app store have been downloaded over a million times. All of these apps were targeting the Chinese market, however, SourceDNA suggests that the issue may extend to other markets as well. Apple was quick to respond to the issue and has already started removing the affected apps from its iOS app store. Here is what Apple has said in a statement:
We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.
While Source DNA has provided Apple with a complete list of affected apps, but they didn’t make the list public. However, it’s known that the official McDonald’s app in China is one of those applications. If you are an iOS developer and what to check if your apps are affected, you can use the analytics firm’s Searchlight tool.
This is not the first time Apple’s iOS App Store has been hit with malicious stuff. A few weeks ago, XcodeGhost iOS malware was disclosed, which was originated from a malicious version of Apple’s official app developing tool called Xcode. Apple has already fixed YiSpecter malware in iOS 8.4.