Hundreds of iOS applications have been banned from the App Store. This was as a result of reports sourced from analytics service SourceDNA, which brought about the revelation that a cluster of applications had been in the seeming hideous practice of extracting the personal identifiable information of users as well as email addresses which are related to their Apple IDs, devices and peripheral serial numbers, alongside a collection of apps installed on the phone of the victims. The applications which are referred to here has been making use of an SDK which was gotten from a Chinese advertising company with the name Youmi, the a latter which was getting access to the said private data of users by means of private APIs, the report found.
Most of the developers had their location in China so, as such, this looks well to be to be an isolated event. Looking further, the bigger source of worry here is well connected to how long this activity has been occurring taking note of the fact that it had not come into notice prior to being detected by a third party.
Going by information from SourceDNA, Youmi had from the looks of things been carrying such ridiculous experiment as to the kind of information it could extract from users’ devices for some time now. For almost two years ago, for instance, the firm had commenced a call to mystify the frontmost (at present running) app’s name – which could be said to be a small test of what it could illegally smuggle into the App Store. And when it came to the reality that it could really smuggle this through Apple’s App Review process, Youmi at once started the use of same techniques to obfuscate and as well demand other data which well included advertising ID of users.
Access could be gotten to the ad ID for tracking ad clicks, but considering the fact that Youmi had been hideously sourcing it, possibly for several p other purposes, the report raises in speculation.
SourceDNA, which helps app developers improve their code and address security flaws, says it found what Youmi was up to when it was updating its Searchlight product to check for use of private APIs – something that should get developers’ apps banned from the App Store. Surprisingly, it actually found quite a few apps that had gotten through.
To add yo this, SourceDNA indicated that while Apple had been vigorously engaged in the process of locking down private APIs, this done so as to avoid the situation of apps getting information of the platform serial number in iOS 8, Youmi had made its way around this by enumerating peripheral devices, like the battery system. From there, it would then send those serial numbers as the hardware identifier.
SourceDNA, a company renowned for assisting app developers add to the quality of their code and make resolutions to troubling security flaws, announced it found what Youmi’s untidy skirmishes were about by the time it was updating its Searchlight product to look for the use of private APIs – something which if proven has the capacity to get developers’ apps banned from the App Store. Much to its surprise, it really discovered that just a handful of apps had scathed through.
Cumulatively , SourceDNA had gotten in touch with 256 apps with an estimate of a total of 1 million downloads which have been making use of a version of the Youmi SDK indicted of compromising privacy of users. On the other hand, the company also puts in that it is a realistic possibility that the developers themselves didn’t even notice what the SDK had been responsible for, as the Youmi’s server gets updated with data of users.
What is a larger reason to worry here is what could be derived from SourceDNA’s findings. The obfuscation technique used by Youmi is pretty easy to go about the company reveals, and the apps have so employed its use for am extended span of time. In fine details, SourceDNA’s founder Nate Lawson reveals to us this has had its occurrence spanning almost a year-and-a-half now!
“We’re concerned other published apps may be using different but related approaches to hide their malicious behavior,” a SourceDNA blog post states. “We’re continuing to add new features to our engine to discover anomalous behavior in app code and find out if this is the case.”
SourceDNA delivered its findings Apple, and Apple had made a consequent reply by giving the company a statement showing that the apps in question have been pulled out from App Store. Apple says it is partnering with developers who making use of Youmi’s SDK to possibly get their apps updated so that they correspond with Apple’s guidelines probably helping them them get restored to the App Store.
Apple’s official statement
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”