One of the advantages of using the Apple App Store over any other app store is that Apple is supposed to tightly control everything so that users don’t have the sort of security issues that are often found on
Android competing platforms. That theory was shot out of the sky when it was found that 250 or so apps had APIs that harvested user data:
We found four main groups of private APIs these apps are calling:
- Enumerate the list of installed apps or get the frontmost app name
- Get the platform serial number
- Enumerate devices and get serial numbers of peripherals
- Get the user’s AppleID (email)
Since we also identify SDKs by their binary signatures, we noticed that these functions were all part of a common codebase, the Youmi advertising SDK from China.
Lovely. Apple was quick to respond to this:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
That’s great, but they should not have made it onto the App Store in the first place. Apple really needs to look at their processes to stop something like this from happening again.
As for Youmi who is the group behind these APIs, they had this to say:
The advertising company, closely held Guangzhou Youmi Mobile Technology Co., said in a statement posted Tuesday on its website that it offered “sincere apologies” after Apple said it had removed offerings from the App Store that were found to be collecting and extracting email addresses, device identification and other private information.
You’ll excuse me if I don’t exactly feel warm and fuzzy after that apology.
One has to wonder how many more apps on the App Store have something like this embedded in them? Or worse?