Home / News / Mobile App News / Apple pulls over 250 apps that secretly harvested user data

Apple pulls over 250 apps that secretly harvested user data

by

App Store

Apple has yanked around more than 250 applications from the App Store, after discovering an SDK tool was secretly collecting user data.

The affected apps had made use of an SDK from third-party advertising provider Youmi, which unbeknownst to the app developers had been using a hidden private API gathering users' email addresses and device serial numbers.

The discovery was made by code analytics platform SourceDNA (via 9to5Mac), revealing how the apps had slipped past Apple’s review process. The company said the affected apps (256 in total) had been downloaded around a million times.

The apps haven’t been listed, but they’re believed to be primarily aimed at the Chinese market.

Confirming the issue, Apple said it is now working with the developers in order to get those apps back on the App Store sooner rather than later, minus the malicious API.

In a statement on Monday, Apple wrote: “We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines.

The apps using Youmi's SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

See also: iPhone 6S review

Whether there are other third-party mobile advertising services pulling similar scams remains to be seen, but SourceDNA suggests it'll may more prevalent than currently known.

"Given how simple this obfuscation is and how long the apps have been available that have it," the site wrote, "we’re concerned other published apps may be using different but related approaches to hide their malicious behavior."

Prem Desai

October 20, 2015, 5:06 am

Whether this was a one off or there are other dodgy SDKs/APIs out there, one thing is very clear - the ios platform is not as safe / secure as people think it is and that just because something has been 'signed' by apple doesn't make it okay.

toboev

October 20, 2015, 6:50 am

But it is good to see that Apple do something about it, and don't just hush it up. I'm sure the same data-mining is prevalent in the Google Play store, maybe we will hear what Google is doing about it too?
On a technical note, can these rogue apps get their data without tripping a permission request?

comments powered by Disqus