Previous Story
Apple Just Yanked Hundreds of Apps for Accessing Users’ Private Data
Posted On Oct 19 2015
Comment: Off
The SDK under examination comes from a Chinese advertising company, Youmi.
Just a month ago, the App store was targeted by hackers who duped Chinese software developers into downloading a fake version of Apple’s tool for creating apps for the iPhone and iPad.
We’ve found hundreds of apps in the App Store that extract personally identifiable user information via private APIs that Apple has forbidden them from calling. “It’s definitely the kind of stuff that Apple should have caught”. This is a violation of our security and privacy guidelines.
We believe the developers of these apps aren’t aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi’s server, not the app’s. The apps in total received 1 million downloads. SourceDNA is anxious that there might be other cases of similar behavior, undetected, already on App Store. Your email address for instance, acts as a gateway for multiple online accounts including potentially your bank accounts.
China continues to present a few unusual challenges for Apple, which confirmed that it has removed apps that collected private user data such as email addresses and device identifiers.
The SourceDNA report has been verified by Apple and it’s now removing all the apps that included the advertising SDK. “We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly”. In turn, the malicious software uploads data it steals to a private server. The list of infected apps includes a few of the most popular apps in China, including the ride-hailing app Didi Kuaidi and WeChat, which has roughly 500m users. The App Store’s approval process has also reportedly been patched to prevent security breaches like this from reoccurring.
The data wasn’t all stolen in one fell swoop.
Youmi’s code calls the list of all the apps you have installed on your phone, the email associated with your Apple ID, the serial numbers of the peripherals inside your device, and if you’re running an older version of iOS, the SDK can call the platform serial number of your device.
