Analytics firm SourceDNA has identified 256 iOS apps that violate the App Store user policy by accessing private information like email addresses without permission.
These applications, which altogether have been downloaded more than a million times, use private APIs and may be the first instance of software bypassing Apple’s app review process.
Many of the pinpointed apps were developed in China and use Youmi’s advertising software development kit (SDK). It appears that developers were not aware that the SDK was collecting personal information as it is delivered in binary form and any user info is uploaded to Youmi’s server, not the application’s. SourceDNA recommends that developers stop using this SDK until certain sections of code are removed.
SourceDNA also expressed its concern that there may be other as-yet-unidentified apps that use a similar approach to that being taken by the Youmi SDK.
“Given how simple this obfuscation is and how long the apps have been available that have it, we’re concerned other published apps may be using different but related approaches to hide their malicious behaviour. We’re continuing to add new features to our engine to discover anomalous behaviour in app code and find out if this is the case.”
Keen to maintain the App Store’s reputation as a security stronghold, Apple has responded swiftly to the findings, admitting that the Youmi SDK apps violate its security and privacy guidelines. All offending apps have now been removed and any new apps submitted using this SDK will not be accepted. The company added that it would “working closely” with developers to get safe versions of their software uploaded to the App Store as quickly as possible.
Unlike Android devices, which enable users to download software from third-party sources, iOS handsets only authorise downloads from the official App Store, meaning that Apple devices usually have a fewer instances of malicious software. Apple will be concerned that the discovery of apps bypassing its strict security policies threatens its position as the most secure mobile ecosystem.