An advertising SDK from China hides some intent until run-time, allowing iOS apps to collect user data. Apple is already looking to plug the hole in its walled garden.
At least 250 iOS apps have been discovered to collect personal data and the developers who programmed them may not even know.
While updating its Searchlight platform for developers over the weekend, SourceDNA discovered the issue. Apple responded to the situation with a statement, saying it has pulled the offending apps from its App Store:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected.”
What’s interesting here is how Youmi’s advertising SDK works around the use of private APIs and data collection, which is forbidden by Apple, and that fact that any developers using the SDK aren’t even aware of the issue.
Youmi’s SDK essentially hides the data collection intent by calling to APIs with strings of data that are created during run-time.
As a result, any App Store review wouldn’t likely catch the problem.
Based on its research, SoureDNA says apps using the SDK from Youmi can collect a list of installed applications as well as the Apple ID, or email address, registered on the iOS device. SecureDNA identified 256 infected apps, which it estimates were installed approximately one million times, with most of the apps built by developers in China.
This isn’t the first time Apple has faced a large-scale app privacy issue from China.
Last month saw XcodeGhost, a mirrored version of the official iOS and OS X app platform, that injected malware in iOS software. It appears that whatever walls Apple tries to build around its App Store garden, China wants to keep looking for cracks.
Apple’s FoundationDB open sources the database layer behind CloudKitJanuary 25, 2019