Apple has pulled hundreds of apps from its App Store that use the Youmi advertising SDK from China after SourceDNA found the SDK was using private APIs.
We’ve found hundreds of apps in the App Store that extract personally identifiable user information via private APIs that Apple has forbidden them from calling. This is the first time we’ve seen iOS apps successfully bypass the app review process. But, based on what we learned, it might not be the last.
The site believes that the Youmi advertising SDK began experimenting with obfuscating a call to get the app name about two years ago. As it grew more confident it wasn't being detected, they began requesting more information.
SourceDNA found four main groups of private APIs these apps are calling:
● Enumerate the list of installed apps or get the frontmost app name
● Get the platform serial number
● Enumerate devices and get serial numbers of peripherals
● Get the user’s AppleID (email)
Apple issued the following statement:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
Hit the link below for the technical details...
Read More [via Jim]
We’ve found hundreds of apps in the App Store that extract personally identifiable user information via private APIs that Apple has forbidden them from calling. This is the first time we’ve seen iOS apps successfully bypass the app review process. But, based on what we learned, it might not be the last.
The site believes that the Youmi advertising SDK began experimenting with obfuscating a call to get the app name about two years ago. As it grew more confident it wasn't being detected, they began requesting more information.
SourceDNA found four main groups of private APIs these apps are calling:
● Enumerate the list of installed apps or get the frontmost app name
● Get the platform serial number
● Enumerate devices and get serial numbers of peripherals
● Get the user’s AppleID (email)
Apple issued the following statement:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
Hit the link below for the technical details...
Read More [via Jim]