Apple is known for its strict review policies when it comes to vetting apps that go on its App Store, but it appears some have slipped through the cracks. Several hundred apps on the App Store have been found to be collecting personal information from users through private APIs.
App Store image from Shutterstock
The problem was first discovered by SourceDNA, an analytics service company. Around 256 apps, which have accrued an estimated one million downloads, were collecting data on devices they were installed on including the device serial number, list of apps installed on the device and the user’s Apple ID.
The offending apps were using code from a third-party software development kit (SDK) for the Chinese advertising platform Youmi. SourceDNa said it’s likely the developers themselves were unaware of this issue given the SDK is delivered in binary form and user information is uploaded directly to Youmi’s server.
Now, one million download for over 250 apps isn’t a lot and most of the apps in question were installed in China, but it is particularly concerning that this was allowed to happen in the first place given Apple’s tough app review guidelines. SourceDNA noted the ease at which the SDK was able to collect the information surreptitiously.
Apple has since removed the dodgy apps and released the following statement:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
If you are a developer that has been using the Youmi SDK, SourceDNA recommends for you to stop using the SDK until the code which is collecting users’ personal data is removed.
[Via SourceDNA blog]