Apple has confirmed it removed more than 200 apps from the Apple App Store after researchers stumbled upon nefarious code that allows these apps to collect users' private information.

Analytics service SourceDNA has discovered that a total of 256 apps with an estimated 1 million total downloads for the iPhone, iPad and iPod touch were gathering user information using a private API, which is prohibited by Apple's app security guidelines. Specifically, the apps extracted data about the entire list of apps on a user's device, serial numbers of the devices and their peripherals, and users' email addresses associated with their Apple ID.

The app developers themselves appear to be innocent. As SourceDNA explains, all affected apps carry an SDK distributed by Chinese mobile advertising service Youmi, which is intended to track clicks on ads placed on the apps. However, unbeknownst to the developers, Youmi also uses its SDK to siphon off private user data and send it straight to its servers.

"We've identified a group of apps that are using a third-party advertising SDK developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as email addresses and device identifiers, and route data to its company server," Apple says in a statement. "This is a violation of our security and privacy guidelines. The apps using Youmi's SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected."

Apple says it is also working with the developers to update their apps and remove the nefarious SDK in order to comply with Apple's guidelines and get their apps back live.

For now, the affected apps appear to be largely isolated in China, so majority of U.S. users shouldn't have to worry about their favorite apps being pulled from the App Store. However, SourceDNA says the length of time during which the apps were collecting data and the relatively simple obfuscation technique Youmi used to go under Apple's radar raises concerns about whether other apps carry similar lines of intrusive code.

In 2013, Youmi began experimenting with obfuscating an API call to collect information about which app was currently being used. Over time, SourceDNA believes Youmi has expanded its reach as it became more confident that it can go about plucking data from users' devices without being noticed.

"Given how simple this obfuscation is and how long the apps have been available that we have it, we're concerned other published apps may be using different but related approaches to hide their malicious behavior," says SourceDNA.

The vulnerability was discovered during SourceDNA's update of its Searchlight engine to check for private APIs, which are banned from the App Store. SourceDNA says it will add features to Searchlight to find out if other apps have similar code inserted into them. 

Meanwhile, Youmi has apologized for the intruding SDK in its ads, offering its "sincere apologies" following Apple's removal of the apps. 

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion