SourceDNA notes that the unauthorized data gathering was surreptitious, so much so that most developers were probably in the dark about what was going on. The practice also escaped the attention of Apple, which screens all iOS apps before they're made available for download—indeed it prides itself on the safety and security of this curated approach.
Apple has removed more than 250 apps from its App Store for their use of a sketchy third-party advertising SDK (software development kit), which was in breach of the company's security and privacy guidelines. According to a report by Ars Technica, the kit collected a host of personally identifying information about users, and the matter was first flagged up by security analytics firm SourceDNA.
An official statement from Apple reads:
We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs [application programming interfaces] to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected.
Apple promises to help affected developers update their apps so that they're "safe for customers" and "in compliance with our guidelines"—though, of course, it can't let the apps remain live in the meantime. Most of the apps hail from China, as does Youmi, and the official Chinese language app for McDonald's restaurants is believed to be one of those involved.
"This is the first time we've found apps live in the App Store that are violating user privacy by pulling data from private APIs," SourceDNA's Nate Lawson told the tech blog. "This is actually an obfuscated toolkit for extracting as much private information as it can. It's definitely the kind of stuff that Apple should have caught."
For developers, the moral of the story is: Choose your SDKs and plugins wisely. As for Apple, the company might want to reassess and improve its app scanning procedures.
According to SourceDNA, the Youmi SDK was able to pull information that included a list of all the apps installed on the phone, the platform serial number of devices running older iOS versions, a list of individual hardware components inside devices running newer iOS versions, and the email address associated with the user's Apple ID. Around one million people are believed to have been at risk from this background data harvesting.
"Given how simple this obfuscation is and how long the apps have been available that have it, we're concerned other published apps may be using different, but related approaches to hide their malicious behavior," explains the SourceDNA team in a blog post. "We're continuing to add new features to our engine to discover anomalous behavior in app code."
The past few months haven't been very good for Apple as far as App Store security is concerned. In September, dozens of apps were found to contain malicious code that had the potential to steal sensitive user information—this time a modified compiler called XcodeGhost was to blame, and again developers may not have been any the wiser that the tools they were using were theoretically dangerous to users.
Apple's walled garden is known for being several notches safer than the
Google Play Store, but are cracks in its security gate beginning to
appear? Even Apple's engineers and scanning algorithms can be fooled, it
would seem, though a few hundred apps in 1.5 million isn't a bad
Meanwhile, earlier in October, a handful of iOS apps were booted out of the App Store for containing the ability to compromise encrypted connections. Although none of the apps were named by Apple, it seems in this case, the developers were at fault for overstepping the mark.
As for developers, sticking with trusted tools is the best way of avoiding getting caught up in an App Store security scandal.