- Thomson Reuters
Apple has removed “a number” of apps from its App Store that were capable of gathering personal information from iOS devices, the company said in a statement on Monday.
Apps that use a third-party advertising tool developed by Chinese mobile advertising company Youmi are capable of gathering private data about your iPhone, firm SourceDNA first discovered on Sunday.
This can include your iPhone’s serial number, the email address associated with your Apple ID, and a list of apps installed on your phone.
Here’s the statement from Apple on the situation:
We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.
An SDK, or software development kit, is essentially a set of tools developers can use to create apps that work with a certain platform. So, any apps that use the SDK created by Youmi can obtain this type of private information about your iPhone.
Like a puzzle
Apple hasn’t said how many apps have been removed from the App Store so far, but SourceDNA’s findings on Sunday indicated that 256 iOS apps included Youmi’s code. This is known only to affect smaller apps that are commonly used in China and aren’t popular in other markets, SourceDNA founder Nate Lawson told Business Insider.
The way these apps have been able to gather information from your phone has evolved over the past year or so, Lawson said. At first, the code was only capable of allowing apps to see which apps were running on your phone in the foreground. It seems like Youmi has been experimenting with ways to gather data from phones for about a year and a half, according to Lawson, and that was the first step.
“Once [that] got passed [Apple’s app review process], they started adding more and more,” Lawson said.
Apple has been vocal about protecting the privacy of its users, and the company is known to be strict about this when reviewing apps for its publication in its store. This is why it’s somewhat surprising that this type of code has made its way into the App Store.
Youmi, however, has been able to stealthily add these tracking techniques to apps by obscuring its own code in a way that hides it from Apple and the developers behind these apps that use its SDK, according to Lawson.
“Think of it like a word search puzzle,” Lawson said. “You’ve got a lot of letters all jumbled up and words hidden inside.”
Youmi’s technique essentially randomizes these “letters” further to make it more difficult to find those “words.”
Apple made a security update in iOS 8 that blocks apps from seeing the serial number of iOS devices. Youmi works around this too by viewing the serial numbers of individual components in the iOS device rather than the iPhone or iPad itself. This could include a component such as the camera, according to Lawson.
“Since camera hardware in unique, it’s effectively a good enough hardware indentifier,” Lawson said.
This comes after security researchers have discovered that a malicious program called XcodeGhost had been embedded in hundreds of popular iOS apps at the end of last month.
We’ve reached out to Youmi and will update the post if we hear back.