Apple recently suffered a rare breakdown of its App Store review policies. Because of that lapse, a couple hundred apps that used private APIs to collect personal information from users made its way into the App Store -- but Apple has confirmed that it pulled the offending apps. Analytics service SourceDNA first noticed these problematic apps and discovered that a third-party SDK for Chinese advertising platform Youmi was grabbing device serial numbers, lists of installed apps and the phone's Apple ID email address.
In all, 256 apps that had been downloaded about a million times in total were using the Youmi SDK, with most installs happening in China. That's a relatively small number, but the ease at which the Youmi SDK was able to disguise its data-gathering techniques makes SourceDNA concerned that other apps may contain similar nefarious code. It appears the developers are innocent in this case -- the SDK uploaded the collected data to Youmi, not the developers themselves, and given the level of obfuscation here it seems that developers didn't even know the SDK was gathering this data. On its end, Apple says it is working with developers to help them get safe versions of their apps back in the store.
Apple released the following statement regarding this security concern:
We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.[Image credit: Shutterstock]