Apple yanks 250 iOS data-harvesting apps from App Store
Apps using Chinese advertising SDK collected email addresses and hardware serial numbers
Apple has pulled more than 250 iOS apps from the App Store after they were found to steal users' data.
A software development kit (SDK) known as Youmi, a Chinese codebase designed for advertising purposes, was found present in hundreds of apps, and gathered iPhone users' details including their Apple IDs and emails, their installed apps, and their hardware serial numbers.
Apple stated that it had pulled Youmi-using apps on Monday, after a report by security firm SourceDNA exposed the flaw, but did not provide a list of which apps were taken down.
However, the apps using the SDK were predominantly Chinese-made, with most of the developers unaware that Youmi was mining user data.
Youmi managed to take the data by calling private APIs, a practice which Apple has banned for this reason.
"This is a violation of our security and privacy guidelines," a statement from Apple read. "The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected.
"We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Interestingly, however, SourceDNA said that "this is the first time we've seen iOS apps successfully bypass the app review process".
The news also comes hot on the heels of the discovery of the XcodeGhost malware, which marked the first notable instance of infected iOS apps.
"Developers need to be aware that when they install an SDK in their app, they're responsible for how it affects their users," SourceDNA said.
Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.
Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.
You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.