Skip to main content

Hundreds Of Apps Banned From App Store For Accessing Users’ Personal Information

Image
By

Hundreds of iOS applications have been pulled out of the App Store, following a report from analytics service SourceDNA, which uncovered a group of applications that were extracting users’ personally identifiable information, including email addresses associated with their Apple IDs, devices and peripheral serial numbers, as well as a list of apps installed on their phone. The applications in question had been using an SDK from a Chinese advertising company called Youmi which was accessing this information by way of private APIs, the report found.
Nearly all of the developers were located in China so, for now, this appears to be an isolated incident. However, the larger concern here has to do with how long this activity had been taking place – and what that means in terms of Apple’s App Store review process, given that it hadn’t caught this suspect activity until being alerted to it by a third party.
According to SourceDNA, Youmi had apparently been experimenting with what sort of information it could pull from users’ devices for some time. Nearly two years ago, for example, the firm began obfuscating a call to get the frontmost (currently running) app’s name – seemingly a small test of what it could sneak into the App Store. And when it realized that it was able to get this through Apple’s App Review process, it then began to use the same obfuscation technique to request other data, including the advertising ID.
The ad ID can be accessed for tracking ad clicks, but given that Youmi was surreptitiously collecting it, the firm may have been using it for other purposes, the report speculates.
In addition, SourceDNA noted that while Apple had been locking down private APIs in order to prevent apps from reading the platform serial number in iOS 8, Youmi worked around this by enumerating peripheral devices, like the battery system. It would then send those serial numbers as the hardware identifier.
SourceDNA, which helps app developers improve their code and address security flaws, says it found what Youmi was up to when it was updating its Searchlight product to check for use of private APIs – something that should get developers’ apps banned from the App Store. Surprisingly, it actually found quite a few apps that had gotten through.
In total, SourceDNA came across 256 apps with an estimated total of 1 million downloads that had been using a version of the Youmi SDK that was violating user privacy. However, the company adds it’s possible that the developers themselves didn’t realize what the SDK was doing, as the user data is uploaded to Youmi’s server.
What’s more concerning here is the implication of SourceDNA’s findings. The obfuscation method is fairly simple, the company says, and the apps have been using it for a long period of time. In fact, SourceDNA’s founder Nate Lawson tells us this has been going on for about a year-and-a-half.

Related Articles

Apple Removes 'A Few' Apps Including Ad Blockers From App Store For Installing Root CertificatesApple Asks Developers To Verify Their Version Of Xcode Following Malware Attack On Chinese App StoreSecure Messaging App Wiper Adds Bitcoin Support, Gets Yanked In China
“We’re concerned other published apps may be using different but related approaches to hide their malicious behavior,” a SourceDNA blog post states. “We’re continuing to add new features to our engine to discover anomalous behavior in app code and find out if this is the case.”
SourceDNA submitted its report to Apple, and Apple replied by offering the company a statement (see below) indicating the apps in question had been banned. Apple says it’s now working with developers who were using Youmi’s SDK to get their apps updated to be in compliance with Apple’s guidelines so they can return to the App Store.
Apple’s statement:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

Comments

Post a Comment

Popular posts from this blog

Visa confirms Coinbase wasn’t at fault for overcharging users

By
Yesterday, we wrote that Coinbase customers were being charged multiple times for past transactions. While some speculated that the erroneous withdraws were down to a Coinbase engineering issue, Coinbase issued a statement saying it wasn’t liable for the duplicate charges. The blame, instead, rested with Visa for the way it handled a migration of merchant categories for cryptocurrencies, Coinbase said. While you can read my post yesterday for an in-depth description of what happened, the basic gist is that Visa refunded and recharged (under a different merchant category) a month of old transactions. Many users saw the recharge come through before the refund processed, making it look like they were double charged. Honestly, the issue was likely exacerbated by existing payment rails — it’s normal for refunds to take multiple days to show up on credit and debit statements. But here’s where it gets weird — this morning Visa issued a statement to some publications shifting the blam...
Post a Comment
Read more

LeafLink Raises $750K To Become Salesforce For The Cannabis Industry

By
LeafLink , an NY-based wholesale management platform for the cannabis industry, has closed a $750k seed round led by group of NY angel investors. The software platform is designed to support participants in a B2B supply chain, providing basic tools designed to save money for retailers and allow producers to get better pricing for their product. These tools will include a centralized location to view correspondence between buyers and suppliers, inventory and order tracking tools, and a portal to discover new products and services so users can source leads and close deals from within the platform. Founders Ryan Smith and Zach Silverman explained that they “believe cannabis regulation and distribution is moving toward mimicking the alcohol industry with regional distributors and nonsensical supply chain participants”. By focusing on creating a supply chain similar to the alcohol industry, the company hopes to eventually be the universally accepted way for buyer...
Post a Comment
Read more

Here’s how to keep track of Elon Musk’s Roadster and Starman in space

By
Elon Musk’s Starman, the mannequin driver of the Tesla Roadster SpaceX launched aboard its Falcon Heavy rocket, is taking a trip around our solar system, in a large elliptical orbit that will bring him relatively close to Mars, the Sun and other heavenly bodies. But how to track the trip, now that the Roadster’s onboard batteries are out of juice and no longer transmitting live footage? Thanks to the work of Ben Pearson, a SpaceX fan and electrical engineer working in the aerospace industry, who created ‘Where is Roadster,’ a website that makes use of JPL Horizons data to track the progress of the Roadster and Starman through space, and to predict its path and let you know when it’ll come close to meeting up with various planets and the Sun. The website tells you the Roadster’s current position, too, as well as its speed and whether it’s moving towards or away from Earth and Mars at any given moment. It’s not officially affiliated with SpaceX or Tesla, but it is something Elon...
Post a Comment
Read more

Intel announces the first 14 nanometre processor

By
At the Computex conference in Taipei, chipmaker Intel has revealed a fanless mobile PC reference design using the first of its next-generation 14nm "Broadwell" processors. The 2 in 1 pictured here is a 12.5" screen that is just 7.2 mm thick with keyboard detached and weighs 670 grams.  The Surface Pro 3  – for comparison – is 9.1 mm thick and weighs 800 grams. It includes a media dock that provides additional cooling for a burst of performance. The next-generation chip is purpose-built for 2 in 1s and will hit the market later in  2014 . Called the Intel Core M, it will be the most energy-efficient Intel Core processor in the company's history with power usage cut by up to 45 percent, resulting in 60 percent less heat. The majority of designs based on this new chip are expected to be fanless, with up to  32 hours of battery life,  offering both a lightning-fast tablet and razor-thin laptop. Intel is also delivering innovation and performance for the ...
Post a Comment
Read more

SoftBank Lands $236M From Alibaba And Foxconn To Bring Its Pepper Robot To The World

By
Remember Pepper,  the intelligent robot that SoftBank unveiled last year ? Pepper goes on sale in Japan this coming weekend, but in advance of that launch  SoftBank has revealed  that Alibaba and manufacturer Foxconn have invested $118 million each in its robotics division. That deal will give Alibaba and Foxconn 20 percent shares in SoftBank Robotics Holdings (known as SBRH), with SoftBank retaining a dominant 60 percent stake. “SoftBank, Alibaba and Foxconn will build a structure to bring Pepper and other robotics businesses to global markets, and cooperate with the aim of spreading and developing the robotics industry on a worldwide scale,” SoftBank said in its announcement. SoftBank isn’t short on money, of course — it is building up quite a portfolio of e-commerce investments across Asia — but its two partners bring know-how, strategy and global networks to the table. So, it looks like Pepper has eventual world domination plans. Or, at least, ...
Post a Comment
Read more