Skip to main content

Hundreds Of Apps Banned From App Store For Accessing Users’ Personal Information


Hundreds of iOS applications have been pulled out of the App Store, following a report from analytics service SourceDNA, which uncovered a group of applications that were extracting users’ personally identifiable information, including email addresses associated with their Apple IDs, devices and peripheral serial numbers, as well as a list of apps installed on their phone. The applications in question had been using an SDK from a Chinese advertising company called Youmi which was accessing this information by way of private APIs, the report found.
Nearly all of the developers were located in China so, for now, this appears to be an isolated incident. However, the larger concern here has to do with how long this activity had been taking place – and what that means in terms of Apple’s App Store review process, given that it hadn’t caught this suspect activity until being alerted to it by a third party.
According to SourceDNA, Youmi had apparently been experimenting with what sort of information it could pull from users’ devices for some time. Nearly two years ago, for example, the firm began obfuscating a call to get the frontmost (currently running) app’s name – seemingly a small test of what it could sneak into the App Store. And when it realized that it was able to get this through Apple’s App Review process, it then began to use the same obfuscation technique to request other data, including the advertising ID.
The ad ID can be accessed for tracking ad clicks, but given that Youmi was surreptitiously collecting it, the firm may have been using it for other purposes, the report speculates.
In addition, SourceDNA noted that while Apple had been locking down private APIs in order to prevent apps from reading the platform serial number in iOS 8, Youmi worked around this by enumerating peripheral devices, like the battery system. It would then send those serial numbers as the hardware identifier.
SourceDNA, which helps app developers improve their code and address security flaws, says it found what Youmi was up to when it was updating its Searchlight product to check for use of private APIs – something that should get developers’ apps banned from the App Store. Surprisingly, it actually found quite a few apps that had gotten through.
In total, SourceDNA came across 256 apps with an estimated total of 1 million downloads that had been using a version of the Youmi SDK that was violating user privacy. However, the company adds it’s possible that the developers themselves didn’t realize what the SDK was doing, as the user data is uploaded to Youmi’s server.
What’s more concerning here is the implication of SourceDNA’s findings. The obfuscation method is fairly simple, the company says, and the apps have been using it for a long period of time. In fact, SourceDNA’s founder Nate Lawson tells us this has been going on for about a year-and-a-half.
“We’re concerned other published apps may be using different but related approaches to hide their malicious behavior,” a SourceDNA blog post states. “We’re continuing to add new features to our engine to discover anomalous behavior in app code and find out if this is the case.”
SourceDNA submitted its report to Apple, and Apple replied by offering the company a statement (see below) indicating the apps in question had been banned. Apple says it’s now working with developers who were using Youmi’s SDK to get their apps updated to be in compliance with Apple’s guidelines so they can return to the App Store.
Apple’s statement:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

Comments

Popular posts from this blog

SoftBank Lands $236M From Alibaba And Foxconn To Bring Its Pepper Robot To The World

Remember Pepper,  the intelligent robot that SoftBank unveiled last year ? Pepper goes on sale in Japan this coming weekend, but in advance of that launch  SoftBank has revealed  that Alibaba and manufacturer Foxconn have invested $118 million each in its robotics division. That deal will give Alibaba and Foxconn 20 percent shares in SoftBank Robotics Holdings (known as SBRH), with SoftBank retaining a dominant 60 percent stake. “SoftBank, Alibaba and Foxconn will build a structure to bring Pepper and other robotics businesses to global markets, and cooperate with the aim of spreading and developing the robotics industry on a worldwide scale,” SoftBank said in its announcement. SoftBank isn’t short on money, of course — it is building up quite a portfolio of e-commerce investments across Asia — but its two partners bring know-how, strategy and global networks to the table. So, it looks like Pepper has eventual world domination plans. Or, at least, ...

Five budget-friendly open source storage servers

Storage is essential for the enterprise: Data must be stored. Data must be retrieved. Data must be shared. Data must be secured. At the same time, storage must not consume the entirety of your IT budget. Fortunately, you can find effective solutions in the world of open source. Outside of cost effectiveness, one of the biggest benefits of these solutions is the ability to modify them to perfectly fit your needs. You can make minor changes or even roll your own storage solution based on one of these tools. If you want enterprise support and a "solution in a can" that will meet just about any enterprise storage need, you should turn to Red Hat or SUSE. Both Linux-based companies offer some of the most powerful enterprise-ready tools on the market. But if you'd rather get your hands dirty and craft something of your own—something that won't demolish your budget—these five open source tools are a great place to start. 1: ownCloud ownCloud ( Figure ...

Visa confirms Coinbase wasn’t at fault for overcharging users

Yesterday, we wrote that Coinbase customers were being charged multiple times for past transactions. While some speculated that the erroneous withdraws were down to a Coinbase engineering issue, Coinbase issued a statement saying it wasn’t liable for the duplicate charges. The blame, instead, rested with Visa for the way it handled a migration of merchant categories for cryptocurrencies, Coinbase said. While you can read my post yesterday for an in-depth description of what happened, the basic gist is that Visa refunded and recharged (under a different merchant category) a month of old transactions. Many users saw the recharge come through before the refund processed, making it look like they were double charged. Honestly, the issue was likely exacerbated by existing payment rails — it’s normal for refunds to take multiple days to show up on credit and debit statements. But here’s where it gets weird — this morning Visa issued a statement to some publications shifting the blam...

Apple Releases First Battery Case To Eat Third-Party Accessory Makers’ Lunch

In a surprise move, Apple just announced an external battery case for the iPhone 6s. Named the  iPhone 6s Smart Battery Case , the battery extends the battery life of your iPhone 6s by up to 25 hours. The new accessory is available in black and white for $99 starting today. Let’s start with the design. Apple is using silicone as the main material like on its other cases. The company doesn’t disclose the capacity of the battery except that you’re supposed to get 18 to 25 hours of extra battery. Like third-party battery cases, Apple uses a Lightning male port at the bottom to plug your iPhone. You can charge the case using a traditional Lightning cable — most third-party batteries rely on a microUSB cable. Apple’s accessory also works with the iPhone 6 and it looks like there isn’t a 6 Plus and 6s Plus version. The Smart Battery Case features an unfortunate hump at the back. Mophie’s  Juice Pack  design is a bit sleeker compared to Apple’s official accessory. Apple...