READ MORE // This is the App Jihadists use
Analytics service SourceDNA brought the malicious behaviour to Apples attention after finding that the apps in question were collecting the email addresses associated with users Apple ID, as well as collecting serial numbers of phones, other installed apps and more information that could potentially used to track and ID users.
The apps in question pulled data from private APIs, meaning developers were likely completely unaware.
China-based Youmi accessed the APIs via a third-party advertising SDK, which stores the data and sent it to its own servers.
To make it worse, ARS Technica reports that Youmi has been doing this for almost two years.
SourceDNA reported that Youmi got around Apple’s tough app review process by testing what the app could or couldn’t sneak by them, then used that technique to attain user data. While Apple was busy locking down on private APIs to stop apps from getting serial numbers in iOS 8, Youmi was busy working around that by ‘enumerating peripheral devices, like the battery system, then sent the serial numbers as a hardware identifier’.
Apple has since fixed the approval process to prevent any apps from using the same technique in the future, thereby hopefully keeping the App Store clean. The Cupertino, California company released a statement saying that SourceDNA’s findings are accurate, and that they are “working closely with developers to help them get updated versions of their apps that are safe for customers.”
Here’s the entire statement:
[…We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly….]
Apple should have been screening for this stuff before, but it would be hard to fix a bug unless you knew about it. SourceDNA hasn’t mentioned the effected apps by name in it’s blog post, but has told Apple privately.
Image: Jason Howie/Flickr