Apple has identified and removed more than 250 apps from its App Store that were accessing and storing the personal information of users secretly. These apps made use of software from a Chinese advertising company.
Are developers involved?
SourceDNA, the mobile security company, said that app makers received a software development kit (SDK) from a firm called Youmi that sneaked into users’ downloaded apps, email addresses and serial numbers of their smartphones. The apps violating Apple’s security and privacy guidelines were downloaded 1 million times.
It is possible that the app makers that made use of Youmi’s SDK were not aware that they were violating Apple’s security and privacy policies. “We believe the developers of these apps aren’t aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi’s server, not the app’s. We recommend developers stop using this SDK until this code is removed,” read a blog post from SourceDNA.
How Youmi’s SDK did not raise flags at Apple is not clear for now. According to SourceDNA, the ad company might have been trying to tap into iOS’ restricted application programming interfaces (APIs) for years and finding out ways to gain access to information available only to Apple for viewing.
Apple has taken required precautions
SourceDNA was updating its own product called Searchlight, which inspects apps for violating security and privacy, when it discovered Youmi’s SDK. The instance is isolated, but it can have broader implications for Apple. SourceDNA’s full list of affected apps sent to Apple included McDonald’s’ official app in China. The list was not shared publicly.
Apple told The Verge that it has removed all the apps that relied on that SDK and is working with developers to ensure that their software is in compliance with App Store guidelines. Developers can use SourceDNA’s Searchlight tool to check if their apps are affected.
This incident of affected apps comes weeks after the discovery of iOS malware XcodegGhost. XcodeGhost came from a malicious version of Xcode, which is Apple’s official tool for developing iOS and OS X apps. Previously, Apple also fixed the YiSpecter malware in iOS 8.4.
On Monday, Apple shares closed up 0.62% at $111.73. Year to date, the stock is down by almost 1%, while in the last three months, the stock is down by almost 14%.