Apple Removes More Than 250 Data-Harvesting Apps

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

256 privacy-violating apps are the latest to have made it through Apple’s strict security checks

Apple has said it has taken down more than 200 apps from its App Store that were found to be using forbidden calls to access and store personal user information, such as device ID numbers and Apple IDs.

The 256 apps, which weren’t identified, used a software development kit (SDK) from Chinese mobile advertising provider Youmi to transfer the data to Youmi’s servers, in violation of Apple’s privacy and security rules, the company said.


SDK banned

“The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected,” Apple said in a statement, adding that it is working with the apps’ developers to reinstate the software once it no longer includes the SDK in question.

The apps have been downloaded by an estimated one million users, according to SourceDNA, the firm that initially spotted the violation.

Applications accessing such information would normally be rejected from the App Store, but Youmi’s SDK found a way to get around Apple’s checks by accessing the identity data of peripherals such as the battery system, SourceDNAsaid in a report published over the weekend.

SourceDNA, which provides app-screening services for developers, said it is unlikely that the app developers involved were aware of Youmi’s illicit data-gathering activities, since they have no access to the SDK’s inner workings, and the data in question is delivered directly to Youmi.

Security bypass

The company said it was the first time it had found apps successfully bypassing the App Store verification process. However, the firm noted that the techniques used to get around Apple’s checks were simple to spot, and that some of the affected apps have been in the App Store for almost two years.

“We’re concerned other published apps may be using different but related approaches to hide their malicious behaviour,” SourceDNA said in its advisory.

Youmi’s SDK began accessing private information almost two years ago, and its most recent version, 5.3.0, published a month ago, still gathers it, SourceDNA said.

Earlier this month Apple removed several ad-blocking apps that allowed remote monitoring of private user information such as network data, while in September it removed more than two dozen Chinese apps infected with malware. Those apps used a malicious version of Xcode, Apple’s own iOS programming tool.

Before September’s incident, only five malware-infected apps were known to have made it through the App Store screening process, according to Palo Alto Networks. By contrast, Google Play is frequently found to contain malicious apps.

Are you a security pro? Try our quiz!