Hundreds Of Apps Banned From App Store For Accessing Users’ Personal Information

Hundreds of iOS applications have been pulled out of the App Store, following a report from analytics service SourceDNA, which uncovered a group of applications that were extracting users’ personally identifiable information, including email addresses associated with their Apple IDs, devices and peripheral serial numbers, as well as a list of apps installed on their phone. The applications in question had been using an SDK from a Chinese advertising company called Youmi which was accessing this information by way of private APIs, the report found.

Nearly all of the developers were located in China so, for now, this appears to be an isolated incident. However, the larger concern here has to do with how long this activity had been taking place – and what that means in terms of Apple’s App Store review process, given that it hadn’t caught this suspect activity until being alerted to it by a third party.

According to SourceDNA, Youmi had apparently been experimenting with what sort of information it could pull from users’ devices for some time. Nearly two years ago, for example, the firm began obfuscating a call to get the frontmost (currently running) app’s name – seemingly a small test of what it could sneak into the App Store. And when it realized that it was able to get this through Apple’s App Review process, it then began to use the same obfuscation technique to request other data, including the advertising ID.

The ad ID can be accessed for tracking ad clicks, but given that Youmi was surreptitiously collecting it, the firm may have been using it for other purposes, the report speculates.

In addition, SourceDNA noted that while Apple had been locking down private APIs in order to prevent apps from reading the platform serial number in iOS 8, Youmi worked around this by enumerating peripheral devices, like the battery system. It would then send those serial numbers as the hardware identifier.

SourceDNA, which helps app developers improve their code and address security flaws, says it found what Youmi was up to when it was updating its Searchlight product to check for use of private APIs – something that should get developers’ apps banned from the App Store. Surprisingly, it actually found quite a few apps that had gotten through.

In total, SourceDNA came across 256 apps with an estimated total of 1 million downloads that had been using a version of the Youmi SDK that was violating user privacy. However, the company adds it’s possible that the developers themselves didn’t realize what the SDK was doing, as the user data is uploaded to Youmi’s server.

What’s more concerning here is the implication of SourceDNA’s findings. The obfuscation method is fairly simple, the company says, and the apps have been using it for a long period of time. In fact, SourceDNA’s founder Nate Lawson tells us this has been going on for about a year-and-a-half.

“We’re concerned other published apps may be using different but related approaches to hide their malicious behavior,” a SourceDNA blog post states. “We’re continuing to add new features to our engine to discover anomalous behavior in app code and find out if this is the case.”

SourceDNA submitted its report to Apple, and Apple replied by offering the company a statement (see below) indicating the apps in question had been banned. Apple says it’s now working with developers who were using Youmi’s SDK to get their apps updated to be in compliance with Apple’s guidelines so they can return to the App Store.

Apple’s statement:

“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

Comments

Square’s New Apple Pay And Chip Card Reader Available To Pre-Order

Shortly after going public, Square announced that its new card reader is now available to pre-order on its website for $49. The new reader will ship in early 2016. It’s been a slow roll-out for the company’s new reader as Square first teased it at Apple’s WWDC in June. Compared to the good old Square reader that you put in your headphone jack, this one packs a few new features. First, it supports Apple Pay, and potentially other contactless payment systems. It has an NFC chip and a tokenization system for secure contactless payments. Second, the new bigger design comes with a new slot for chip cards in case you can’t pay with your phone. Finally, it’s a wireless reader that connects to your phone or tablet using Bluetooth. It has a small built-in battery and you can recharge it with a standard microUSB port. According to Square’s website , 100 retailers are already using the new reader. But the company has yet to ship the new rea...

Report: Amazon Is Building An App To Let Normal People Deliver Packages For Pay

Amazon is apparently enlisting everyday humans in its network of endless online shopping delivery. The WSJ reports that the ecommerce giant is working on an app internally that would allow the average consumer to make a little cash by picking up Amazon packages at various retail locations and dropping them off at their final destination. WSJ’s sources did not have a timeline for the release of this product, internally called ‘On My Way,’ and were unsure whether it would launch at all. Amazon has spent years not only iterating the way it tailors your online shopping experience — the mega retailer has one of the best suggestion engines in the business — but also the way that it gets you your products with speed and convenience. Besides the standard shipping (or two-day for Prime members), Amazon has fiddled with the idea of letting Uber drivers and yellow cabs deliver products same-day, as well as using bike messengers and third-party delivery services for Prime N...

The data center of the (near) future

Tight budgets and explosive data growth call for creative thinking on how and where to build data centers: http://dell.to/1tv4FsL #datacenter #modulardatacenter #floatingdatacenter http://techpageone.dell.com/technology/the-data-center-of-the-near-future/?dgc=SM&cid=75909&lid=5342172#.U_6lTvldXfJ

The EHang 184 Is A Human-Sized Drone Taking Off At CES

We’ve seen some pretty cool stuff on day 1 of CES 2016, but probably nothing more eye-catching than the EHang 184, a human-sized drone built by the Chinese UAV company EHang . Yes you heard right — a giant autonomous drone that fits a human. It’s basically what you would expect to see if someone shrunk you down to the size of a LEGO and stuck you next to a DJI Inspire. Except no one was shrunk, and the giant flying machine was sitting smack in the middle of the CES drone section. EHang, which was founded in 2014 and has raised about $50M in venture fundingto date, was pretty gung-ho about telling everyone at CES that the 184 was the future of personal transport. And for the most part, people were too in awe to question them. But the reality is that the company probably was using the 184 as more of a marketing tool for their standard-sized drones like the Ghost . Not that we’re saying that the 184 will never be a real thing, just that it probably isn’t co...

Windows 10 build 10136 screenshots posted by Windows Insider chief

We are used to seeing leaked screenshots of unreleased Windows 10 builds coming from third parties. However, it’s rare when a member of the Windows team does it himself. Today, Gabriel Aul, the head of the Windows Insider program, did just that on his Twitter account with two screenshots showing Windows 10 build 10136. Currently, Microsoft has build 10130 available for the over 4 million Windows Insider members to check out. There’s not a lot that’s new in these two new images, although the system tray arrow and File Explorer icons have both been updated. One of the images also shows that Word 95 can indeed run inside Windows 10. Microsoft has already announced that Windows 10 will officially launch, or more accurately come out of its preview stage, on July 29. Earlier today at Computex 2015, the company announced there will be about 300 products running the operating system by the time it debuts. Via: Windows Central , Gabriel Aul

Exciting Technology

Search This Blog