According to code analytics platform SourceDNA, hundreds of apps on the iOS App Store have been removed because they possess APIs that collect private user data, such as email addresses and device identifiers.
The code reportedly found its way into these applications in the form of a malicious third-party advertising SDK. In turn, the malicious software uploads data it steals to a private server.
To Apple’s credit, as soon as SourceDNA notified the company of the security breach, all of the affected apps were removed from the App Store, since taking advantage of a private API is a direct violation of Apple’s app review guidelines. The App Store’s approval process has also reportedly been patched to prevent security breaches like this from reoccurring.
The advertising SDK in question is sourced from Chinese advertising company Youmi. The malicious SDK is also able to view and store device serial numbers, list installed apps and grab user Apple ID email information.
All of the offending apps were located in the Chinese App Store and right now it seems like the Canadian and U.S. App Store has not been effected. However, SourceDNA emphasizes it’s concerned other advertising platforms could be taking advantage of similar undetected methods.
Find Apple’s full statement regarding the security breach below:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”