Apple Removes Over 250 iOS Apps With Ad SDK That Collects Personal User Data

by

SourceDNA, an analytics service that tracks iOS and Android code, has discovered hundreds of iOS apps that collect personally identifiable user information, including Apple ID email addresses and device identifiers, through a Chinese third-party advertising SDK called Youmi that is prohibited by App Store guidelines.

App-Store-About
The analytics firm, using its new developer tool Searchlight, found 256 affected apps, with an estimated 1 million total downloads, using one of the versions of Youmi in violation of user privacy. Its report claims most of the developers who used the SDK are located in China, and that many were likely unaware of the threat since the tool kit is delivered in binary form and obfuscated.

Ars Technica explained in more detail about the information gathered "gradually over the past year or so" by apps using Youmi:

SourceDNA researchers found four major classes of information gathered by apps that use the Youmi ad SDK. They include:

1. A list of all apps installed on the phone
2. The platform serial number of iPhones or iPads themselves when they run older versions of iOS
3. A list of hardware components on devices running newer versions of iOS and the serial numbers of these components, and
4. The e-mail address associated with the user’s Apple ID

The personal info is reportedly gathered via private APIs and then routed through Youmi's servers in China.

Apple released a statement saying it will remove apps with Youmi from the App Store, and reject future submissions using the SDK:

“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

SourceDNA sent a full list of affected apps to Apple, including the official McDonald's app in China, but did not share it publicly. Developers can check if their apps are affected using the analytics firm's Searchlight tool.

This discovery comes weeks after iOS malware XcodeGhost was disclosed, which arose from a malicious version of Xcode, Apple's official tool for developing iOS and OS X apps. Apple also patched YiSpecter malware in iOS 8.4.

Tags: App Store, China, SDK, SourceDNA, Youmi

Top Rated Comments

jettredmont Avatar
jettredmont
111 months ago
through a Chinese third-party advertising SDK called Youmi ('https://www.youmi.net/')
So, another issue with wide swathes of apps from China. Not to be nationalist over this, but it seems there is a clear disease running through China putting its product on par with former-Soviet countries in terms of general trustability. The fact that this private information is being sent through the Great Firewall of China and not being hindered by that at all seems significant (Chinese developers complain that it is too slow to download Xcode across that firewall, but sending all this data from millions of phones and devices around the world to their servers over the same firewall is business as usual?)

"Something is rotten in the state of Denmark" seems an understatement.

I trust any corporation about as far as I can throw them, but it seems those residing in China give even less of a pause before assuming that anything they can grab is fair game.

When will apps start displaying "Designed and developed in the USA" badges?
Score: 20 Votes (Like | Disagree)
doboy Avatar
doboy
111 months ago
These apps should be banned, but doesn't sound too serious. Google likely collects more data ;)
Score: 17 Votes (Like | Disagree)
asmartkid82 Avatar
asmartkid82
111 months ago
I think the real question is: How many apps (and how long) have been making use of private APIs using similar techniques? How many apps do we have in our devices that have bypassed App Store validation using similar procedures? And I assure you, as a developer, that this is not a difficult thing to do at all…
Score: 13 Votes (Like | Disagree)
Benjamin Frost Avatar
Benjamin Frost
111 months ago
Good to see apps taking personal data being removed.

Presumably FaceBook and Google will be next on the list.
Score: 11 Votes (Like | Disagree)
Rigby Avatar
Rigby
111 months ago
How did these get approved in the first place? It seems something like this should be pretty easy to detect by Apple.
It isn't. In Objective C it's possible to construct API calls at runtime, so there's no easy way to discover them using static code analysis. And you can implement various methods to try and avoid making the calls while the app is in the review process.
Score: 7 Votes (Like | Disagree)
2457282 Avatar
2457282
111 months ago
Why does Apple allow these private APIs to begin with? Is it not something they can disable to avoid this problem in the future? I mean the reality is that you do not need the SDK to leverage the APIs. If you are an app developer you could write code to leverage them directly. How is Apple monitoring for this?
Score: 7 Votes (Like | Disagree)
Read All Comments

Popular Stories

Delta Feature

Delta Game Emulator Now Available From App Store on iPhone

Wednesday April 17, 2024 9:58 am PDT by
Game emulator apps have come and gone since Apple announced App Store support for them on April 5, but now popular game emulator Delta from developer Riley Testut is available for download. Testut is known as the developer behind GBA4iOS, an open-source emulator that was available for a brief time more than a decade ago. GBA4iOS led to Delta, an emulator that has been available outside of...
Read Full Article169 comments
iOS NES Emulator Bimmy Feature

NES Emulator for iPhone and iPad Now Available on App Store [Removed]

Tuesday April 16, 2024 11:33 am PDT by
The first approved Nintendo Entertainment System (NES) emulator for the iPhone and iPad was made available on the App Store today following Apple's rule change. The emulator is called Bimmy, and it was developed by Tom Salvo. On the App Store, Bimmy is described as a tool for testing and playing public domain/"homebrew" games created for the NES, but the app allows you to load ROMs for any...
Read Full Article229 comments
iPhone 15 Pro Action Button Translate

All iPhone 16 Models to Feature Action Button, But Usefulness Debated

Tuesday April 16, 2024 6:54 am PDT by
Last September, Apple's iPhone 15 Pro models debuted with a new customizable Action button, offering faster access to a handful of functions, as well as the ability to assign Shortcuts. Apple is poised to include the feature on all upcoming iPhone 16 models, so we asked iPhone 15 Pro users what their experience has been with the additional button so far. The Action button replaces the switch ...
Read Full Article104 comments
maxresdefault

Hands-On With the New App Store Delta Game Emulator

Wednesday April 17, 2024 12:19 pm PDT by
A decade ago, developer Riley Testut released the GBA4iOS emulator for iOS, and since it was against the rules at the time, Apple put a stop to downloads. Emulators have been a violation of the App Store rules for years, but that changed on April 5 when Apple suddenly reversed course and said that it was allowing retro game emulators on the App Store. Subscribe to the MacRumors YouTube channel ...
Read Full Article211 comments
iOS 18 Siri Integrated Feature

iOS 18 Will Add These New Features to Your iPhone

Friday April 12, 2024 11:11 am PDT by
iOS 18 is expected to be the "biggest" update in the iPhone's history. Below, we recap rumored features and changes for the iPhone. iOS 18 is rumored to include new generative AI features for Siri and many apps, and Apple plans to add RCS support to the Messages app for an improved texting experience between iPhones and Android devices. The update is also expected to introduce a more...
Read Full Article