SourceDNA has identified more than 250 apps (with an estimated 1 million downloads) that violate customer privacy. All the identified apps link back to a common codebase, the Youmi advertising SDK from China (via Ars Technica).
As detailed by the analytics service tracking iOS and Android code, the apps collect personal information by calling private APIs, which Apple has forbidden. This is the first time iOS apps have successfully bypassed the app review process using a method that would normally automatically get an app rejected from the App Store.
We found four main groups of private APIs these apps are calling:
– Enumerate the list of installed apps or get the frontmost app name
– Get the platform serial number
– Enumerate devices and get serial numbers of peripherals
– Get the user’s AppleID (email)
After the post went live on Ars, Apple reacted with the following statement:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
The discovery comes just a few weeks after a separate security report revealed that dozens of iOS apps collected private information – you may remember the buzz around apps developed with XcodeGhost.