Skip to main content

Hundreds Of Apps Banned From App Store For Accessing Users’ Personal Information

Image
By

Hundreds of iOS applications have been pulled out of the App Store, following a report from analytics service SourceDNA, which uncovered a group of applications that were extracting users’ personally identifiable information, including email addresses associated with their Apple IDs, devices and peripheral serial numbers, as well as a list of apps installed on their phone. The applications in question had been using an SDK from a Chinese advertising company called Youmi which was accessing this information by way of private APIs, the report found.
Nearly all of the developers were located in China so, for now, this appears to be an isolated incident. However, the larger concern here has to do with how long this activity had been taking place – and what that means in terms of Apple’s App Store review process, given that it hadn’t caught this suspect activity until being alerted to it by a third party.
According to SourceDNA, Youmi had apparently been experimenting with what sort of information it could pull from users’ devices for some time. Nearly two years ago, for example, the firm began obfuscating a call to get the frontmost (currently running) app’s name – seemingly a small test of what it could sneak into the App Store. And when it realized that it was able to get this through Apple’s App Review process, it then began to use the same obfuscation technique to request other data, including the advertising ID.
The ad ID can be accessed for tracking ad clicks, but given that Youmi was surreptitiously collecting it, the firm may have been using it for other purposes, the report speculates.
In addition, SourceDNA noted that while Apple had been locking down private APIs in order to prevent apps from reading the platform serial number in iOS 8, Youmi worked around this by enumerating peripheral devices, like the battery system. It would then send those serial numbers as the hardware identifier.
SourceDNA, which helps app developers improve their code and address security flaws, says it found what Youmi was up to when it was updating its Searchlight product to check for use of private APIs – something that should get developers’ apps banned from the App Store. Surprisingly, it actually found quite a few apps that had gotten through.
In total, SourceDNA came across 256 apps with an estimated total of 1 million downloads that had been using a version of the Youmi SDK that was violating user privacy. However, the company adds it’s possible that the developers themselves didn’t realize what the SDK was doing, as the user data is uploaded to Youmi’s server.
What’s more concerning here is the implication of SourceDNA’s findings. The obfuscation method is fairly simple, the company says, and the apps have been using it for a long period of time. In fact, SourceDNA’s founder Nate Lawson tells us this has been going on for about a year-and-a-half.

Related Articles

Apple Removes 'A Few' Apps Including Ad Blockers From App Store For Installing Root CertificatesApple Asks Developers To Verify Their Version Of Xcode Following Malware Attack On Chinese App StoreSecure Messaging App Wiper Adds Bitcoin Support, Gets Yanked In China
“We’re concerned other published apps may be using different but related approaches to hide their malicious behavior,” a SourceDNA blog post states. “We’re continuing to add new features to our engine to discover anomalous behavior in app code and find out if this is the case.”
SourceDNA submitted its report to Apple, and Apple replied by offering the company a statement (see below) indicating the apps in question had been banned. Apple says it’s now working with developers who were using Youmi’s SDK to get their apps updated to be in compliance with Apple’s guidelines so they can return to the App Store.
Apple’s statement:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

Comments

Post a Comment

Popular posts from this blog

The Eight Most Impactful Excel Shortcuts That You Should Master

By
If you’ve ever gone online to research improving your Excel skills, you’ve undoubtedly come across a post or two listing all of Excel’s keyboard shortcuts.  In the latest version of Excel, Microsoft has made it easier than ever to learn shortcuts, by assigning shortcuts to nearly every function and making the discovery of the input sequence very transparent. While memorizing Excel shortcuts will generally improve your productivity, not all shortcuts are created equal.  Shortcuts that you never use are not inherently not very useful and not worth memorizing.  Your focus should be on the shortcuts that have the most impact – either by the amount of time it saves you, the frequency that you’ll use them, or the behavior it encourages. If you’ve already started using Excel or just haven’t utilized shortcuts heavily before, review the top eight shortcuts below.  For any that you don’t know already, I would suggest memorizing them and incorp...
Post a Comment
Read more

Google Announces Android Wear Update With WiFi Support, Always-On Apps, And More

By
It has been a while since Android Wear got any substantial updates, but today Google is announcing a big one. A new version of Wear will be rolling out over the coming weeks that includes a number of previously rumored features (like WiFi support) and some all new stuff (like always-on apps). Most Wear devices use the always-on ambient mode for the watch face by default, the Moto 360 being a notable exception. The new Android Wear version allows apps to operate in ambient mode too, so they remain active when the watch goes to sleep. That makes it easier to take a quick glance at the app instead of waking the device up and opening the app all over again. The watch will still only go into full-color mode when necessary. WiFi support is also coming in the update, which means your watch can be useful even if your phone isn't connected. Watches with WiFi support will be able to connect to WiFi and still get messages and notifications from your phone, provided it has an interne...
Post a Comment
Read more

Facebook will verify the location of U.S. election ad buyers by mailing them postcards

By
Facebook’s global director of policy programs says it will start sending postcards by snail mail to verify buyers of ads related to United States elections. Katie Harbath, who described the plan at a conference held by the National Association of Secretaries of State this weekend, didn’t reveal when the program will start, but told Reuters that it would be before the Congressional midterm elections in November. The cards will be sent to people who want to purchase ads that mention candidates running for federal offices, but not issue-based political ads, Harbath said, and contain a code that buyers need to enter to verify that they are in the U.S. The program is similar to ones used by Google My Business and Nextdoor when they need to verify business owners or users who want to join closed neighborhood groups, respectively. Harbath told Reuters that the postcards “won’t solve everything,” but were the most effective method the company came up with to prevent people from using fa...
1 comment
Read more

Budding #entrepreneur from Chandigarh University!!

By
Budding #entrepreneur from Chandigarh University!! #CU #students unfolded their creative ideas and presented them with a productive shape! Meet Our #Automobile #Engineering student - Trilok Singh, who has started his own start-up with the name GEARR TECHNOLOGIES under the guidance of CU-TBI. This start up focuses on affordable high end #Bicycles and its high #technology equipment’s. This start- up will bring to the Indian audience the scope of Products, #innovation, creativity and customization available in the market. Watch the video!!
Post a Comment
Read more

South Korea aims for startup gold

By
Back in 2011, when South Korea won its longshot bid to host the 2018 Winter Olympics, the country wasn’t widely recognized as a destination for ski and snow lovers. It wasn’t considered much of a tech startup hub either. Fast forward seven years and a lot has changed. For the next 10 days, the eyes of the world will be on the snowy slopes of PyeongChang. Meanwhile, a couple of hours away in Seoul, a burgeoning startup scene is seeing investments multiply, generating exits and even creating a unicorn or two. While South Korea doesn’t get a perfect score as a startup innovation hub, it has established itself as a serious contender. More than half a billion dollars annually has gone to seed through late-stage funding rounds for the past few years. During that time, at least two companies, e-commerce company Coupang and mobile-focused content and commerce company Yello Mobile, have established multi-billion-dollar valuations. To provide a broader picture of how South Korea stacks ...
Post a Comment
Read more