New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Apple Removes Over 250 iOS Apps With Ad SDK That Collects Personal User Data

SourceDNA, an analytics service that tracks iOS and Android code, has discovered hundreds of iOS apps that collect personally identifiable user information, including Apple ID email addresses and device identifiers, through a Chinese third-party advertising SDK called Youmi that is prohibited by App Store guidelines.

The analytics firm, using its new developer tool Searchlight, found 256 affected apps, with an estimated 1 million total downloads, using one of the versions of Youmi in violation of user privacy. Its report claims most of the developers who used the SDK are located in China, and that many were likely unaware of the threat since the tool kit is delivered in binary form and obfuscated.

Ars Technica explained in more detail about the information gathered "gradually over the past year or so" by apps using Youmi:
SourceDNA researchers found four major classes of information gathered by apps that use the Youmi ad SDK. They include:

1. A list of all apps installed on the phone
2. The platform serial number of iPhones or iPads themselves when they run older versions of iOS
3. A list of hardware components on devices running newer versions of iOS and the serial numbers of these components, and
4. The e-mail address associated with the user’s Apple ID
The personal info is reportedly gathered via private APIs and then routed through Youmi's servers in China.

Apple released a statement saying it will remove apps with Youmi from the App Store, and reject future submissions using the SDK:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
SourceDNA sent a full list of affected apps to Apple, including the official McDonald's app in China, but did not share it publicly. Developers can check if their apps are affected using the analytics firm's Searchlight tool.

This discovery comes weeks after iOS malware XcodeGhost was disclosed, which arose from a malicious version of Xcode, Apple's official tool for developing iOS and OS X apps. Apple also patched YiSpecter malware in iOS 8.4.

Top Rated Comments

(View all)

41 months ago

through a Chinese third-party advertising SDK called Youmi ('')

So, another issue with wide swathes of apps from China. Not to be nationalist over this, but it seems there is a clear disease running through China putting its product on par with former-Soviet countries in terms of general trustability. The fact that this private information is being sent through the Great Firewall of China and not being hindered by that at all seems significant (Chinese developers complain that it is too slow to download Xcode across that firewall, but sending all this data from millions of phones and devices around the world to their servers over the same firewall is business as usual?)

"Something is rotten in the state of Denmark" seems an understatement.

I trust any corporation about as far as I can throw them, but it seems those residing in China give even less of a pause before assuming that anything they can grab is fair game.

When will apps start displaying "Designed and developed in the USA" badges?
Rating: 20 Votes
41 months ago
These apps should be banned, but doesn't sound too serious. Google likely collects more data ;)
Rating: 17 Votes
41 months ago
I think the real question is: How many apps (and how long) have been making use of private APIs using similar techniques? How many apps do we have in our devices that have bypassed App Store validation using similar procedures? And I assure you, as a developer, that this is not a difficult thing to do at all…
Rating: 13 Votes
41 months ago
Good to see apps taking personal data being removed.

Presumably FaceBook and Google will be next on the list.
Rating: 11 Votes
41 months ago
Apple has joined he big boys club in having to deal with dodgy apps.

I suspect these stories will be more and more common.

Due to unpopularity , Windows phone is looking the safest these days . Good chance the app your looking for will not be infected as it does not exist :p
Rating: 7 Votes
41 months ago

How did these get approved in the first place? It seems something like this should be pretty easy to detect by Apple.

It isn't. In Objective C it's possible to construct API calls at runtime, so there's no easy way to discover them using static code analysis. And you can implement various methods to try and avoid making the calls while the app is in the review process.
Rating: 7 Votes
41 months ago
Why does Apple allow these private APIs to begin with? Is it not something they can disable to avoid this problem in the future? I mean the reality is that you do not need the SDK to leverage the APIs. If you are an app developer you could write code to leverage them directly. How is Apple monitoring for this?
Rating: 7 Votes
41 months ago
Sounds like the kind of stuff Google gets up to normally :)
Rating: 6 Votes
41 months ago
One of the downfalls of the video game industry was the lack of quality control during the 80's and the mass production of absolute crap that made it onto shelves.

The app store was amazing but now I rarely look through it. It is an endless sea of crap and has been this way for the past few years. It wouldn't be as bad if Apple implemented a more functional and advanced search feature but they have not yet up to this point. Since they are so controlling of their environment, why do not they not implement a quality control such as what Nintendo did with the NES and their "seal of quality" companies had on their games to show they were properly licensed and checked by Nintendo?
Rating: 6 Votes
41 months ago

"...and that many were likely unaware of the threat since the tool kit is delivered in binary form and obfuscated."

I think I just found my new favourite word.

Binary :cool:

There are 10 types of people in this world... Those who understand binary, and those who don't.


Rating: 6 Votes

[ Read All Comments ]