Apple today removed more than 250 apps from its App Store that were using software from a Chinese advertising company that secretly accessed and stored users' personal information. The firm, called Youmi, provided app makers with a software development kit that would glean which apps a user had downloaded, that user's email address, and the serial number of their smartphone, according to mobile security company SourceDNA. The apps in total received 1 million downloads.
The app makers that relied on Youmi's SDK, most of which are based in China, may not have knowingly violated Apple's security and privacy guidelines. "We believe the developers of these apps aren’t aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi’s server, not the app’s. We recommend developers stop using this SDK until this code is removed," reads SourceDNA's blog post.
Youmi's SDK had user data sent to its own private server
It's unclear how Youmi's SDK didn't raise red flags at Apple. SourceDNA thinks the ad company has likely been experimenting for years with ways to tap into iOS's restricted application programming interfaces (APIs) to gather info only Apple should be able to view. That would normally prevent an app from making it through the review process. Yet as Youmi tested the limits of its SDK, it appears to have slipped through somehow and begun bolder data collection.
SourceDNA only discovered Youmi's SDK when updating its own product, called Searchlight, that inspects apps for security and privacy violations. The instance, though isolated, may have broader implications for Apple. "We’re concerned other published apps may be using different but related approaches to hide their malicious behavior," SourceDNA's blog post states.
In a statement provided to The Verge, Apple says all apps relying on the SDK have been removed. It's now working with developers to ensure their software is in compliance with the App Store guidelines:
We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server.
This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.