Skip to main content

Hundreds Of Apps Banned From App Store For Accessing Users’ Personal Information

Image
By

Hundreds of iOS applications have been pulled out of the App Store, following a report from analytics service SourceDNA, which uncovered a group of applications that were extracting users’ personally identifiable information, including email addresses associated with their Apple IDs, devices and peripheral serial numbers, as well as a list of apps installed on their phone. The applications in question had been using an SDK from a Chinese advertising company called Youmi which was accessing this information by way of private APIs, the report found.
Nearly all of the developers were located in China so, for now, this appears to be an isolated incident. However, the larger concern here has to do with how long this activity had been taking place – and what that means in terms of Apple’s App Store review process, given that it hadn’t caught this suspect activity until being alerted to it by a third party.
According to SourceDNA, Youmi had apparently been experimenting with what sort of information it could pull from users’ devices for some time. Nearly two years ago, for example, the firm began obfuscating a call to get the frontmost (currently running) app’s name – seemingly a small test of what it could sneak into the App Store. And when it realized that it was able to get this through Apple’s App Review process, it then began to use the same obfuscation technique to request other data, including the advertising ID.
The ad ID can be accessed for tracking ad clicks, but given that Youmi was surreptitiously collecting it, the firm may have been using it for other purposes, the report speculates.
In addition, SourceDNA noted that while Apple had been locking down private APIs in order to prevent apps from reading the platform serial number in iOS 8, Youmi worked around this by enumerating peripheral devices, like the battery system. It would then send those serial numbers as the hardware identifier.
SourceDNA, which helps app developers improve their code and address security flaws, says it found what Youmi was up to when it was updating its Searchlight product to check for use of private APIs – something that should get developers’ apps banned from the App Store. Surprisingly, it actually found quite a few apps that had gotten through.
In total, SourceDNA came across 256 apps with an estimated total of 1 million downloads that had been using a version of the Youmi SDK that was violating user privacy. However, the company adds it’s possible that the developers themselves didn’t realize what the SDK was doing, as the user data is uploaded to Youmi’s server.
What’s more concerning here is the implication of SourceDNA’s findings. The obfuscation method is fairly simple, the company says, and the apps have been using it for a long period of time. In fact, SourceDNA’s founder Nate Lawson tells us this has been going on for about a year-and-a-half.

Related Articles

Apple Removes 'A Few' Apps Including Ad Blockers From App Store For Installing Root CertificatesApple Asks Developers To Verify Their Version Of Xcode Following Malware Attack On Chinese App StoreSecure Messaging App Wiper Adds Bitcoin Support, Gets Yanked In China
“We’re concerned other published apps may be using different but related approaches to hide their malicious behavior,” a SourceDNA blog post states. “We’re continuing to add new features to our engine to discover anomalous behavior in app code and find out if this is the case.”
SourceDNA submitted its report to Apple, and Apple replied by offering the company a statement (see below) indicating the apps in question had been banned. Apple says it’s now working with developers who were using Youmi’s SDK to get their apps updated to be in compliance with Apple’s guidelines so they can return to the App Store.
Apple’s statement:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

Comments

Post a Comment

Popular posts from this blog

SoftBank Lands $236M From Alibaba And Foxconn To Bring Its Pepper Robot To The World

By
Remember Pepper,  the intelligent robot that SoftBank unveiled last year ? Pepper goes on sale in Japan this coming weekend, but in advance of that launch  SoftBank has revealed  that Alibaba and manufacturer Foxconn have invested $118 million each in its robotics division. That deal will give Alibaba and Foxconn 20 percent shares in SoftBank Robotics Holdings (known as SBRH), with SoftBank retaining a dominant 60 percent stake. “SoftBank, Alibaba and Foxconn will build a structure to bring Pepper and other robotics businesses to global markets, and cooperate with the aim of spreading and developing the robotics industry on a worldwide scale,” SoftBank said in its announcement. SoftBank isn’t short on money, of course — it is building up quite a portfolio of e-commerce investments across Asia — but its two partners bring know-how, strategy and global networks to the table. So, it looks like Pepper has eventual world domination plans. Or, at least, ...
Post a Comment
Read more

Apple to release new small phone before iPhone 7

By
Apple to release new small phone before iPhone 7 Apple is to create a smaller, cheap version of the iPhone, persistent to the 4 inch size of the iPhone 5. Apple is testing 5 different iPhone 7 models. It will sell next to Apple’s existing phones however mark the first time that Apple has ready a latest phone smaller than the one it locate on sale before. There will be the choice of 2 or three colours likely the  gold, space grey  and silver options that mainly Apple products now coming up. Other than inside there will be very much better components. The flagship improve will be the addition of the A9 chip that powers the iPhone 6S. There may also be a number of changes to the outside. The most able to be seen is apt to be the addition of the somewhat curved edges that are found on the iPhone 6 and 6S. careinfo.in Apple  dropped the iPhone 5C previous this year. A number of hoped that it would be replaced by a 6C, though reports at the time made clear that we...
Post a Comment
Read more

How ad-free subscriptions could solve Facebook

By
At the core of Facebook’s “well-being” problem is that its business is directly coupled with total time spent on its apps. The more hours you pass on the social network, the more ads you see and click, the more money it earns. That puts its plan to make using Facebook healthier at odds with its finances, restricting how far it’s willing to go to protect us from the harms of over use. The advertising-supported model comes with some big benefits, though. Facebook CEO Mark Zuckerberg has repeatedly said that “We will always keep Facebook a free service for everyone.” Ads lets Facebook remain free for those who don’t want to pay, and more importantly, for those around the world who couldn’t afford to. Ads pay for Facebook to keep the lights on, research and develop new technologies, and profit handsomely in a way that attracts top talent and further investment. More affluent users with more buying power in markets like the US, UK, and Canada command higher ad prices, effectively...
1 comment
Read more

Facebook will verify the location of U.S. election ad buyers by mailing them postcards

By
Facebook’s global director of policy programs says it will start sending postcards by snail mail to verify buyers of ads related to United States elections. Katie Harbath, who described the plan at a conference held by the National Association of Secretaries of State this weekend, didn’t reveal when the program will start, but told Reuters that it would be before the Congressional midterm elections in November. The cards will be sent to people who want to purchase ads that mention candidates running for federal offices, but not issue-based political ads, Harbath said, and contain a code that buyers need to enter to verify that they are in the U.S. The program is similar to ones used by Google My Business and Nextdoor when they need to verify business owners or users who want to join closed neighborhood groups, respectively. Harbath told Reuters that the postcards “won’t solve everything,” but were the most effective method the company came up with to prevent people from using fa...
1 comment
Read more