Hundreds Of Apps Banned From App Store For Accessing Users’ Personal Information

Hundreds of iOS applications have been pulled out of the App Store, following a report from analytics service SourceDNA, which uncovered a group of applications that were extracting users’ personally identifiable information, including email addresses associated with their Apple IDs, devices and peripheral serial numbers, as well as a list of apps installed on their phone. The applications in question had been using an SDK from a Chinese advertising company called Youmi which was accessing this information by way of private APIs, the report found.

Nearly all of the developers were located in China so, for now, this appears to be an isolated incident. However, the larger concern here has to do with how long this activity had been taking place – and what that means in terms of Apple’s App Store review process, given that it hadn’t caught this suspect activity until being alerted to it by a third party.

According to SourceDNA, Youmi had apparently been experimenting with what sort of information it could pull from users’ devices for some time. Nearly two years ago, for example, the firm began obfuscating a call to get the frontmost (currently running) app’s name – seemingly a small test of what it could sneak into the App Store. And when it realized that it was able to get this through Apple’s App Review process, it then began to use the same obfuscation technique to request other data, including the advertising ID.

The ad ID can be accessed for tracking ad clicks, but given that Youmi was surreptitiously collecting it, the firm may have been using it for other purposes, the report speculates.

In addition, SourceDNA noted that while Apple had been locking down private APIs in order to prevent apps from reading the platform serial number in iOS 8, Youmi worked around this by enumerating peripheral devices, like the battery system. It would then send those serial numbers as the hardware identifier.

SourceDNA, which helps app developers improve their code and address security flaws, says it found what Youmi was up to when it was updating its Searchlight product to check for use of private APIs – something that should get developers’ apps banned from the App Store. Surprisingly, it actually found quite a few apps that had gotten through.

In total, SourceDNA came across 256 apps with an estimated total of 1 million downloads that had been using a version of the Youmi SDK that was violating user privacy. However, the company adds it’s possible that the developers themselves didn’t realize what the SDK was doing, as the user data is uploaded to Youmi’s server.

What’s more concerning here is the implication of SourceDNA’s findings. The obfuscation method is fairly simple, the company says, and the apps have been using it for a long period of time. In fact, SourceDNA’s founder Nate Lawson tells us this has been going on for about a year-and-a-half.

“We’re concerned other published apps may be using different but related approaches to hide their malicious behavior,” a SourceDNA blog post states. “We’re continuing to add new features to our engine to discover anomalous behavior in app code and find out if this is the case.”

SourceDNA submitted its report to Apple, and Apple replied by offering the company a statement (see below) indicating the apps in question had been banned. Apple says it’s now working with developers who were using Youmi’s SDK to get their apps updated to be in compliance with Apple’s guidelines so they can return to the App Store.

Apple’s statement:

“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

Comments

eGym raises $45M Series C for cloud-connected gym equipment and fitness software

eGym , the Munich-based startup that offers cloud-connected gym equipment and supporting cloud software and app for the fitness training floor, has closed $45 million in Series C funding. The round was led by new investor HPE Growth Capital, while existing investors, including Highland Europe, also participated. The problem that eGym is looking to solve is that, whilst gyms have moved from a bodybuilder market to a mass market in the last 20 years, the technology in gyms lags behind. That’s despite the fact that better use of technology can help to reduce customer churn, the biggest pain-point of both gym operator and gym users. Comprising of an app for both gym user and trainer, combined with the company’s connected strength machines, the eGym Cloud makes it possible for gym members to receive better fitness instruction and an evolving and personalised fitness plan based on data collected as they workout. And by providing a better workout feedback loop, gym goers can get an i...

Building a smarter home

The Jetsons presented a highly entertaining vision of what homes of the future would look like . The animated television show anticipated a world where humans would be able to do everything with just the push of a button. In many ways, the show turned out to be prophetic; today we have printable food, video chats, smartwatches and robots that help with housework — and flying cars may even be on the way. The challenge for companies is to integrate digital technologies in meaningful ways that enhance people’s homes and improve their lives. Many of the innovations to emerge over the past few years have been geared toward this kind of “push-button living.” Thanks to the rise of smartphones and the proliferation of cheap sensors, it is possible to make just about any household appliance “smart” and “connected.” By 2019, companies are expected to ship 1.9 billion connected home devices, bringing in about $490 billion in revenue. ...

Airbnb will open its Cuba listings to users outside the United States

Airbnb will now let travelers from outside the U.S. to book properties in Cuba after receiving authorization from the U.S. government, reports the Associated Press . Previously, only Americans were allowed to reserve the site’s Cuban listings . They will open to international users on April 2. Airbnb launched its Cuban operations in April 2014 , four months after the Obama administration revealed that it will begin to restore diplomatic relations with the Communist country . The historic policy change means that travel and trade sanctions will be lifted , which is expected to boost tourism to Cuba dramatically because Americans no longer need licenses to visit. In fact, President Obama is currently on an official visit to Cuba , the first president since Calvin Coolidge to do so. According to the AP, Cuba is currently Airbnb’s fastest-growing market, with about 4,000 homes added since it opened listings. Other travel businesses...

Oculus’ New $99 Samsung Gear VR Makes Serious Virtual Reality Affordable

At half the price of its last mobile VR headset, the new $99 Oculus-made Samsung Gear VR is cheap enough to unlock virtual reality for the mainstream. Revealed today at the Oculus Connect conference, it works with the whole 2015 line of Samsung Smartphones including the Note 5, S6, S6 Edge, and S6 Edge+. It will ship in November in time for Black Friday. Compared to the $199 previous Gear VRs that only worked with fewer phones, this headset will be a lot more accessible. The new Gear VR is 22% lighter, making it more comfortable to wear. The trackpad on the temple of the headset also now has a tactile directional pad on it so your finger will know where it’s touching. The previous Gear VRs had a smooth trackpad and sometimes it was to tough to know if you were touching it or just the unsensitive shell of the headset when you couldn’t see for yourself. There’s also a new Gear VR Gamepad which all the Oculus Connect conference attendees will get for free. It features an...

Careless USB removal causes multiple deaths

EIGHTEEN workers have died after a USB stick was removed from a computer without adequate precautions. The offices of Hereford-based Envision Photography were completely destroyed in the ensuing blast. Survivor Norman Steele said: “My colleague Helen had put some files on the stick to work on at home, and she yanked it out of the computer before anyone could scream ‘no’. “I kicked her aside as a jet of white-hot flame belched out of the USB port and set fire to the desk opposite. “Grabbing her, I dived through the window just before all the PCs in the network exploded with purple electricity that fried everyone in the building. “I sprinted to my car, knowing that the printers were already becoming merciless hunter-killer drones, shouting for Helen to follow. “But when I looked round I saw her frozen, something glowing in her hand, the awareness dawning of her fate. She was still holding the USB. “She detonated in a flash of ultraviolet light that turned eve...

Exciting Technology

Search This Blog