Analytics service SourceDNA first spotted the problem apps, which have been pulling data via private APIs (application programming interface), a practice that generally results in an app being rejected by Apple’s review process.
A total of 256 apps, mostly from Chinese developers, slipped through the cracks. Those apps, which have amassed over one million downloads, have been collecting an array of user data from those who have installed them.
According to SourceDNA’s findings, the apps collect a list of other apps installed on the device, the iOS device’s platform serial number, the e-mail address associated with a user’s Apple ID, and other device identifiers.
“It’s all personally identifiable information that outlasts the phone OS or apps being reinstalled,” SourceDNA founder Nate Lawson told the Daily Dot. “The likely goal is to profile the user beyond what Apple allows advertisers to do.”
Chinese mobile marketing company Youmi appears to be at the source of the problem. The company’s advertising SDK (software development kit) is used to display ads inside of other applications. McDonald’s app for Chinese speakers, for example, displayed advertisements provided by Youmi.
The developers of apps using the Youmi SDK were likely unaware of its practices.
Youmi lists a stable of noteworthy advertising partners on its site, including companies like Proctor and Gamble, Audi, Nokia, and Samsung. Lawson explained these companies are display partners, “which means they supply ads for Youmi to display. They aren’t at any risk, it’s the app users.”
Lawson and the SourceDNA team first spotted the suspicious behavior while updating its Searchlight tool for developers. The code watchdog company designed Search to find security and quality issues in mobile apps, and was adding functionality to scan apps for private API usage—the exact violation performed by the Youmi SDK.
Apple issued a statement on the situation, acknowledging the issue and detailing the actions the company will take to respond to it:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
Apple did not respond to request for additional comment.
SourceDNA has chosen not to release the full list of affected apps until Apple has removed them entirely from the App Store. The list has been provided to Apple, and Lawson noted that most have already been removed.
Until then, users will have to wait. “There’s nothing a user could see in the app that would indicate it has this problem,” Lawson said.