A recent discovery showed that there are hundreds of iOS apps that gather personal data from users using a method that is prohibited by App Store guidelines. Thousands of users are placed at risk for hacking and identity theft from the unauthorized collection.
SourceDNA, an analytics service that monitors Android and iOS code, found hundreds of iOS apps that collect personal user information, such as Apple ID email addresses and device identifiers. The collection was done using a Chinese third-party advertising SDK, called Youmi, which is actually disallowed by App Store guidelines.
SourceDNA used its new developer tool called Searchlight to identify 256 affected apps, with a total download count of about 1 million, via one version of Youmi. The method violated user privacy. The report stated that majority of the developers who used the prohibited SDK is situated in China. Several users most likely did not recognize the threat because the tool kit was obfuscated and rendered in binary form.
According to ArsTechnica, there were four major classes of information collected by the affected apps using Youmi. The personal data is allegedly collected using private APIs, and then transferred using Youmi’s servers in China. The classes included a list of all apps installed by users on their phones, the platform serial number of iPhones or iPads when these run older iOS versions, a list of hardware components on devices that run newer iOS versions as well as the serial numbers of the components, and the e-mail address linked with the user’s Apple ID.
Apple stated that it will take out apps with Youmi from the App Store, as well as deny future submissions that use the SDK. Apple mentioned that they have identified the affected apps developed by Youmi. The company acknowledge that the approach is a violation of their security and privacy guidelines. The apps with the mobile advertising provider’s SDK have already been removed from the App Store and there will be future rejections too. Apple added that they are closely working with developers to acquire updated versions of their apps that will comply with their guidelines and be deemed safe for customers.
Apple received a full list of affected apps from SourceDNA, numbering around 250, although it was not provided to the public. Developers can view if their apps are among those affected via the Searchlight tool.
More updates and details on the Youmi-developed apps are expected soon.