Apple has yanked around more than 250 applications from the App Store, after discovering an SDK tool was secretly collecting user data.
The affected apps had made use of an SDK from third-party advertising provider Youmi, which unbeknownst to the app developers had been using a hidden private API gathering users’ email addresses and device serial numbers.
The discovery was made by code analytics platform SourceDNA (via 9to5Mac), revealing how the apps had slipped past Apple’s review process. The company said the affected apps (256 in total) had been downloaded around a million times.
The apps haven’t been listed, but they’re believed to be primarily aimed at the Chinese market.
Confirming the issue, Apple said it is now working with the developers in order to get those apps back on the App Store sooner rather than later, minus the malicious API.
In a statement on Monday, Apple wrote: “We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines.
See also: iPhone 6S review
Whether there are other third-party mobile advertising services pulling similar scams remains to be seen, but SourceDNA suggests it’ll may more prevalent than currently known.
“Given how simple this obfuscation is and how long the apps have been
available that have it,” the site wrote, “we’re concerned other published apps may be
using different but related approaches to hide their malicious behavior.”