iOS 7 (App Store teaser 002)

As many as 256 iPhone, iPod touch and iPad applications in the App Store, a majority of them from Chinese developers, have been found to violate Apple’s privacy policy by gathering personal information such as email addresses, installed apps and even serial numbers, an analysis by security analytics startup SourceDNA has found out.

In addition, the offending apps, which obviously went under the radar of Apple’s App Store editorial team, have been found to collect other personally identifying information that can be used to track users.

“We’ve found hundreds of apps in the App Store that extract personally identifiable user information via private APIs that Apple has forbidden them from calling,” cautions SourceDNA.

The discovery marks the first time SourceDNA has seen iOS apps successfully bypass Apple’s review process. These apps incorporate the Youmi advertising SDK from China to tap into private APIs.

The SDK then silently does the following:

  • Enumerate the list of installed apps or get the frontmost app name
  • Get the platform serial number
  • Enumerate devices and get serial numbers of peripherals
  • Get the user’s AppleID (email)

User info is uploaded to Yom’s server, not the app’s.

Apple has provided the following statement:

We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines.

Again, the majority of offending apps are distributed through the Chinese App Store and one of them includes the official McDonald’s app for Chinese speakers.

Apple says it’s already removed these apps from sale:

The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.

Apple prohibits developers to access its private APIs in iOS and has been locking them down since iOS 8. However, Yuomi developers two years ago began experimenting with obfuscating a call to get the frontmost app name and were able to get this through Apple’s review process.

Yummy later used the same trick to hide calls to retrieve the advertising ID that they “may be using it for other purposes since they went to the trouble to obfuscate this.”

The latest version of the Youmi SDK (v5.3.0), published a month ago, still gathers all the above information. The 256 apps that use one of the versions of Youmi that violates user privacy have been downloaded a combined one million times.

Most of these apps are found on the Chinese App Store and their developers are likely unaware that their software violates Apple’s privacy policy since the SDK is delivered in binary form and obfuscated.

Source: SourceDNA via ArsTechnica

  • miras

    Ohh China…

  • Franklin Richards

    ffs China. It’s not that we don’t want to trust you guys it’s just that this keeps happening.

  • leart

    switched store to make a purchase since my card is a debit and works only on my country store, now can’t go back to the USA one since NOW iTunes is requiring a valid payment method for the store you are trying to go.
    seriously apple? now i can’t download half of my apps and basic like google apps and Flickr and who knows more.. can’t purchase even a fu**** ringtone..
    holy crap, i really love apple devices but this is gone to far..
    thnx god didn’t purchased my next device,,,, looks like I’m going to get a Nexus this time,, FREEEEEDOM!!

    • leart

      this is insane..

      • osm70

        Make a Canadian account?

      • leart

        dont have a valid payment method for that country . is the same for every store

      • e1ghtSpace

        I’m pretty sure if you sign out of your id, and switch to the US store, you can try to buy a free app (and it must be free) then create a new account and choose “none” as payment option.

      • leart

        can’t create a new account , i have already purchased tons of payed apps, I’m using my id from early 2012.
        some time before it was possible to switch between stores, and to go back, i was able to purchase payed from my country store and to go back without credit card to the usa one,, now it requires to provide a valid method for that country store you are entering .. my card is valid only for my country store, so I’m stuck here without seeing tons of apps..

    • @dongiuj

      Saying negative things about Apple?! Never thought I’d see the day!

      • leart

        I’m really mad, can’t go back to the usa store without providing a valid method for usa store, my card works only with my country store, but in that store I’m not able to purchase even a ringtone, iTunes won’t let me,,,, and tons of apps are not available here…
        some weeks ago it was possible to switch stores without providing payment method , now it is not, I’m stuck

      • @dongiuj

        I don’t know what to suggest about that. Never really felt a serious issue with it. Would be nice though if everything was available to the whole world instead of restricting people.

      • leart

        I never had issues to, just recently can’t change store without providing valid method of payment, to any store, not just usa one..
        bo

  • Bugs Bunnay

    Some very strict screening huh?

  • iByron

    I just don’t buy any apps from Chinese or Russian developers (and if I’m not sure, I assume they are) for just this reason. If their governments don’t seem to care about IP and privacy, there’s no incentive for their businesses to do so either.

    Maybe I’m missing out on that one perfect app that will change my life for the better forever, but I’ll take that risk.

  • RubbaNeck

    This is why Pangu is a hard pill to swallow. Always a what if.

  • Mr_Coldharbour

    Correct me if I’m wrong, but doesn’t Apple thoroughly inspect any app for approval before it is even released to the masses? So how are these apps, as many as 256 (as per this article), getting through these stringent checks that Apple has put in place? I really would like to know.

    • Chris Wagers

      I’m wondering if apple’s inspections really are thorough or not. Seems to me they just say that so developers are afraid of getting caught so they don’t submit them. These Chinese that submit these malicious apps just don’t give a crap though and as we see they don’t have trouble getting them by. I wonder how many bad apps haven’t been caught?

      I’m also glad for companies like SourceDNA double checks these apps.

      • Mr_Coldharbour

        I’m inclined to agree with you. I even wonder if there are any checks at all! So much for (almost) airtight security.

  • @dongiuj

    Where can apple’s consumers find the list of affected apps sharing our personal information in this article?

  • n0ahcruz3

    One of the reasons i stopped jailbreaking my phone. And I don’t download apps from chinese developers.