More than 250 iOS apps were found in violation of Apple’s App Store privacy policy, scooping up data from one millions users estimated to have downloaded the offending apps.
SourceDNA, an analytics service that uncovered this seedy app behaviour, found that the apps were gathering email addresses associated with the user’s Apple ID, plus a list of all the apps users had installed, serial numbers, and other information that can be used to personally identify and track users.
The apps were violating privacy by pulling data from private APIs, in a breach so secret that the app developers themselves are not likely to have known about it. Chinese company Youmi reportedly accessed the apps’ private APIs through a third-party advertising SDK that stored the data and sent it to its own servers, and apparently Youmi’s been pulling data from devices for about two years now, reports Ars Technica.
According to SourceDNA, Youmi bypassed Apple’s app review process by testing what apps could sneak by, then used the same obfuscation technique to request user data. SourceDNA found that while Apple was locking down on private APIs to prevent apps from getting the platform serial number in iOS 8, Youmi worked around it enumerating peripheral devices, like the battery system, then sent the serial numbers as a hardware identifier.
Apple has since patched its approval processes to prevent future apps using a similar technique from getting into the App Store. The company released a statement confirming the SourceDNA findings, saying that they are “working closely with developers to help them get updated versions of their apps that are safe for customers.” Here’s the entire statement:
We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.
One would hope Apple should have been screening for this kind of thing. The SourceDNA blog post doesn’t list the offending apps by name, but privately provided a list to Apple, so it’s on them to ensure the app review process catches these third-party companies vying for our info.
[Ars Technica via SourceDNA]
Image: Jason Howie/Flickr