Skip to main content

Hundreds Of Apps Banned From App Store For Accessing Users’ Personal Information

Image
By

Hundreds of iOS applications have been pulled out of the App Store, following a report from analytics service SourceDNA, which uncovered a group of applications that were extracting users’ personally identifiable information, including email addresses associated with their Apple IDs, devices and peripheral serial numbers, as well as a list of apps installed on their phone. The applications in question had been using an SDK from a Chinese advertising company called Youmi which was accessing this information by way of private APIs, the report found.
Nearly all of the developers were located in China so, for now, this appears to be an isolated incident. However, the larger concern here has to do with how long this activity had been taking place – and what that means in terms of Apple’s App Store review process, given that it hadn’t caught this suspect activity until being alerted to it by a third party.
According to SourceDNA, Youmi had apparently been experimenting with what sort of information it could pull from users’ devices for some time. Nearly two years ago, for example, the firm began obfuscating a call to get the frontmost (currently running) app’s name – seemingly a small test of what it could sneak into the App Store. And when it realized that it was able to get this through Apple’s App Review process, it then began to use the same obfuscation technique to request other data, including the advertising ID.
The ad ID can be accessed for tracking ad clicks, but given that Youmi was surreptitiously collecting it, the firm may have been using it for other purposes, the report speculates.
In addition, SourceDNA noted that while Apple had been locking down private APIs in order to prevent apps from reading the platform serial number in iOS 8, Youmi worked around this by enumerating peripheral devices, like the battery system. It would then send those serial numbers as the hardware identifier.
SourceDNA, which helps app developers improve their code and address security flaws, says it found what Youmi was up to when it was updating its Searchlight product to check for use of private APIs – something that should get developers’ apps banned from the App Store. Surprisingly, it actually found quite a few apps that had gotten through.
In total, SourceDNA came across 256 apps with an estimated total of 1 million downloads that had been using a version of the Youmi SDK that was violating user privacy. However, the company adds it’s possible that the developers themselves didn’t realize what the SDK was doing, as the user data is uploaded to Youmi’s server.
What’s more concerning here is the implication of SourceDNA’s findings. The obfuscation method is fairly simple, the company says, and the apps have been using it for a long period of time. In fact, SourceDNA’s founder Nate Lawson tells us this has been going on for about a year-and-a-half.

Related Articles

Apple Removes 'A Few' Apps Including Ad Blockers From App Store For Installing Root CertificatesApple Asks Developers To Verify Their Version Of Xcode Following Malware Attack On Chinese App StoreSecure Messaging App Wiper Adds Bitcoin Support, Gets Yanked In China
“We’re concerned other published apps may be using different but related approaches to hide their malicious behavior,” a SourceDNA blog post states. “We’re continuing to add new features to our engine to discover anomalous behavior in app code and find out if this is the case.”
SourceDNA submitted its report to Apple, and Apple replied by offering the company a statement (see below) indicating the apps in question had been banned. Apple says it’s now working with developers who were using Youmi’s SDK to get their apps updated to be in compliance with Apple’s guidelines so they can return to the App Store.
Apple’s statement:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

Comments

Post a Comment

Popular posts from this blog

Montana-based mapping startup onXmaps raises a round of funding fit for Big Sky Country

By
A mapping startup based in Missoula, Mont., which allows users to download sophisticated offline topographic maps outlining public and private lands and a number of other features geared towards hunting, fishing and camping, has pulled in its first major outside funding. onXmaps has closed a $20.3 million Series A round led by Summit Partners. Bessemer Venture Partners, Millennium Technology Value Partners, Next Frontier Capital and NBCUniversal CEO Steve Burke also participated in the round. The company is calling the fundraise one of the biggest ever among startups based in Montana. onX Hunt app This is impressively the first bout of outside funding that the 70-person startup has ever taken since being founded in 2009. The company’s founder and CEO Eric Siegfried, an avid outdoorsman himself, had created a more basic program to integrate these maps with his own Garmin GPS. After finding his friends were interested in having a product like this too, he put down $27k of his...
Post a Comment
Read more

Best Web Design Company in Pondicherry

By
#Technology    has two faces. We all feel it, but sometimes can’t find words to describe it.  #Ebooks    are the best example to show the 0-1 nature of emotions the  #technology  evokes. #itwhere    provide a  #Best     #solutions    to  #Growyourbusiness    feel free to drop a  #Mail    info@itwheretech.co.in www.itwheretech.co.in 
5 comments
Read more

Visa confirms Coinbase wasn’t at fault for overcharging users

By
Yesterday, we wrote that Coinbase customers were being charged multiple times for past transactions. While some speculated that the erroneous withdraws were down to a Coinbase engineering issue, Coinbase issued a statement saying it wasn’t liable for the duplicate charges. The blame, instead, rested with Visa for the way it handled a migration of merchant categories for cryptocurrencies, Coinbase said. While you can read my post yesterday for an in-depth description of what happened, the basic gist is that Visa refunded and recharged (under a different merchant category) a month of old transactions. Many users saw the recharge come through before the refund processed, making it look like they were double charged. Honestly, the issue was likely exacerbated by existing payment rails — it’s normal for refunds to take multiple days to show up on credit and debit statements. But here’s where it gets weird — this morning Visa issued a statement to some publications shifting the blam...
Post a Comment
Read more

How ad-free subscriptions could solve Facebook

By
At the core of Facebook’s “well-being” problem is that its business is directly coupled with total time spent on its apps. The more hours you pass on the social network, the more ads you see and click, the more money it earns. That puts its plan to make using Facebook healthier at odds with its finances, restricting how far it’s willing to go to protect us from the harms of over use. The advertising-supported model comes with some big benefits, though. Facebook CEO Mark Zuckerberg has repeatedly said that “We will always keep Facebook a free service for everyone.” Ads lets Facebook remain free for those who don’t want to pay, and more importantly, for those around the world who couldn’t afford to. Ads pay for Facebook to keep the lights on, research and develop new technologies, and profit handsomely in a way that attracts top talent and further investment. More affluent users with more buying power in markets like the US, UK, and Canada command higher ad prices, effectively...
1 comment
Read more

Workato Chat Bot Brings Enterprise Workflow Into Slack

By
As we head into 2016, enterprise chat applications like  Slack  are suddenly a hot commodity, and if you’re inside chat a good portion of the day the argument goes, you should be able to access other work without leaving the chat client. This is exactly what  Workato’s  newly announced chat bot, Workbot, is designed to do. Chat bots are small programs that integrate with a chat platform and provide some advanced type of functionality in a fairly easy fashion. The new Workbot-chat bot enables users to access and control over 100 enterprise applications such as a Salesforce CRM record, Quickbooks accounting information or Zendesk customer service interactions directly inside of Slack. One of the primary issues with early Enterprise 2.0 tools was that they were just another application busy employees needed to pay attention to. The idea here is to give users customer information directly in the context of the discussion they may be having...
1 comment
Read more