Hundreds of iOS apps caught taking user data from private APIs

Security firm SourceDNA claims to have discovered hundreds of App Store apps that violate Apple’s privacy policies by accessing private user information. Apps using the Youmi advertising SDK were found to be accessing users’ Apple IDs, gathering a list of apps installed on devices and documenting the serial numbers of peripherals, among other privacy invasions. Youmi’s SDK skirted Apple’s review process by hiding its data collection processes within binary code sent out to developers over the last two years, leaving even app developers themselves unaware of the data that was being collected and sent back directly to Youmi. After Apple started blocking apps from reading platform serial numbers in iOS 8, Youmi started collecting information on individual device components, like the battery system, and used those to identify individual devices.
Apple has responded by pulling all apps using Youmi’s SDK and plans to reject any future app submissions found to be using it. As for the 256 documented apps that used Youmi’s SDK, Apple said it is “working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.” While a full list of affected apps isn’t available, most of the developers using the Youmi SDK are based in China. Affected apps have been downloaded an estimated 1 million times. [via Ars Technica]

Latest News