Apple keeps cracking down on applications in their App Store, who are not adhering to the company’s rules. SourceDNA recently published a report mentioning a specific group of mobile apps extracting user identifiable information. Details being extracted include Apple ID email addresses, peripheral serial numbers, and a full list of all installed applications on the device.
All of these removed applications share one major similarity: they have all been developed using Youmi’s SDK. Youmi is a Chinese advertising company, which created an Apple App Store SDK for aspiring developers. All of the information being accessed on the user’s devices was done through private API’s, embedded in each and every removed application.
Furthermore, nearly all of the developers using the Youmi SDK were based in China, which seems to indicate this is an isolated incident,. The main question remains as to how long these apps have been available in Apple’s App Store, and why the problem hadn’t been discovered sooner. Additionally, it took a report by a third-party for Apple to remove these apps, as they all slipped through the mazes of the company’s app review process.
Truth be told, Youmi’s private API’s were built in a clever manner. Apple has been shutting down private API’s to prevent personal user information from being accessed. Youmi has, after some trial and error, managed to enumerate peripheral devices, including the battery system. Due to the nature of these peripherals, serial numbers are used as hardware identifiers.
A total of 256 apps accessing sensitive user information has been identified on the Apple App Store by SourceDNA, all of which total for over 1 million downloads. While it remains possible, the individual developers using Youmi’s SDK had no idea of what was going on, an investigation has been launched by Apple to get to the bottom of this.
Apple reached out to SourceDNA, and published the following:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
It is rather worrying to see an advertisement company deliberately using private API’s to collect consumer data from mobile devices. Even though exact details on the retrieved information is not available yet, this could have been a ploy to identify mobile Bitcoin users in China. After all, most of the Bitcoin trading volume is coming from China, and the government is not too keen on digital currency.
What is even more worrying is what Youmi was planning to do with the information it collected from unsuspecting users. Selling email addresses to other advertisers based on the installed application on their Apple device is one option. Regardless of what the company’s intention was, Apple really needs to step up their app review process, as incidents like this should never be allowed to occur.
What are your thoughts on the removal of these 250+ applications from the Apple App Store? What did Youmi intend to do with this data? Let us know in the comments below!
Images courtesy of Apple, SourceDNA, Shutterstock
1 Hova Villas Brighton & Hove
BN3 3DH United Kingdom
All rights reserved by Bitcoinist Ltd. | 2016.