Code analytics platform SourceDNA has found hundreds of apps on the App Store that used private APIs to collect private user data, like email addresses and device identifiers, slipping under Apple’s radar in the approval process. The code got into these apps through the inclusion of a mischievous third-party advertising SDK, which secretly stored this data and sent it off to its own servers.
Apple has now verified the SourceDNA report and is removing all of the apps that included the advertising SDK from the store, as using private API calls is a breach of App Review Guidelines. Apple has also patched its approval processes to prevent any more apps that use this technique to make it onto the App Store.
The SDK under examination comes from a Chinese advertising company, Youmi. SourceDNA used its own binary search tools to find 256 apps that included the unscrupulous SDK, which have received over a million downloads in total.
The SDK used a variety of techniques and APIs to collect identifying personal information it shouldn’t normally be able to. This includes serial numbers, peripheral serial numbers, lists of installed apps and obtaining the user’s Apple ID email. The analytics company speculates Youmi became more confident with its methods over time, slowly adding more and more data collection code over a two-year span.
In this instance, almost all of the offending apps were targeted at the Chinese market. However, given that evasion of Apple’s app review process has been going on for many months, SourceDNA is concerned that there may be other cases of similar bad behavior already on the App Store, as yet undetected.
This is Apple’s full statement on the matter.
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
FTC: We use income earning auto affiliate links. More.
In other news
Google promoting hundreds of Play Store apps as advertising SDK found to collect user data. Developers will also receive a bag of marshmallows as a gift from the company
but…but…Google is always an appropriate response when you read Apple news you don’t like. :/
Amazing that this is exactly what they don’t want to do and it’s bloody good to see them acting like this – supports their business model very well and it’s a good thing that this has happened. Makes me more confident with apple’s ethos!
But which apps? Where is the list? I see in this article ProCam 3 – I use that. Is that one removed? I’ve seen other articles – Apple removing apps” but none ever say which apps.
Most of the apps are for the Chinese market and would not affect the majority of western users.
Your graphic implicates the apps shown – not the case. Given that essentially ‘all’ of the apps identified as a problem with this issue are Chinese, I think this graphic is misleading. In fact your story minimizes the main point – that Chinese apps are becoming more and more problematic.
I think the real question is: How many apps, and how long, have been making use of private APIs using similar techniques? How many apps do we have in our devices that have bypassed App Store validation using similar procedures? And I assure you, as a developer, that this is not a difficult thing to do at all…
So its not only Android that has its flaws sometimes.
Apple has removed hundreds of apps from its App Store for reportedly gathering personal data secretively by using software kit developed by a Chinese company.
Security analytics company Source DNA said that some apps are gathering e-mail addresses, unique serial numbers, and other information from Apple device users through private APIs.