250+ iOS apps offered on Apple’s App Store found slurping user data

The latest instance of potentially malicious apps tricking Apple App Store’s vetting process comes courtesy of Youmi, a China-based mobile advertising provider whose software development kit (SDK) uses private APIs to gather user and device information.

Apple explicitly prohibits app developers to make their apps call private APIs, and this behavior is usually spotted when the app is submitted for approval to be included in the App Store.

According to security analytics company SourceDNA, who alerted Apple about this problem, some 250+ apps with an estimated total of 1 million downloads have been built on the problematic SDK.

“The older versions [of the SDK] do not call private APIs, so the 142 apps that have them are ok. But almost two years ago, we believe the Youmi developers began experimenting with obfuscating a call to get the frontmost app name,” SourceDNA researchers noted.

Once they were able to get this through App Review, they started adding the following behaviors, and made the apps capable of enumerating the list of installed apps or get the frontmost app name, getting the platform serial number, enumerating devices and get serial numbers of peripherals, and getting the user’s AppleID (email).

“They also use the same obfuscation to hide calls to retrieve the advertising ID, which is allowable for tracking ad clicks, but they may be using it for other purposes since they went to the trouble to obfuscate this,” they pointed out.

Interestingly enough, SourceDNA researchers weren’t the only ones who spotted this anomaly. A group of researchers from Purdue University, Indiana, discovered the same pattern and attributed it to the Youmi SDK. They also proposed a new iOS application vetting system that should detect this type of attack.

Apple has removed an unspecified number of apps from the App Store following this discovery.

“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines,” the company stated.

“The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

More likely than not, the developers of these removed apps weren’t even aware of the fact that their apps were extracting this information and sending it to the creators of the SDK.

UPDATE:

Youmi has issued an apology for creating the data-slurping SDK and said they are working with Apple to resolve the issue. According to ZDNet, they also offered “reasonable compensation” for app developers whose apps have been removed from the App Store because they used the SDK in question.

Youmi is one of the main mobile advertising networks in China, and has debuted its new global mobile ad platform Adxmi, which covers both Android and iOS, earlier this year. It’s definitely in their interest to keep a good relationship with Apple. If Apple decides to forgive, it’s unlikely they will forget: apps based on their SDK will surely receive more scrutiny in the future.