Apple announced yesterday that it had pulled hundreds of apps from its App Store because they violated the App Store’s review process by collecting unapproved kinds of data.
A third-party analytics service called SourceDNA discovered that apps using a software developer kit (SDK) from a Chinese advertising platform called Youmi, were collecting personally identifiable data, including email addresses, Apple IDs, device and peripheral serial numbers, and a list of apps installed on the device.
Any app using Youmi’s SDK have been removed from the App Store and future apps built with that SDK will be rejected. But the apps will still be available on users’ devices, although they won’t be updated.
Perhaps more disturbing than the data privacy breach is the fact that Youmi was able to get the data collection past Apple’s notoriously rigorous app review process. According to SourceDNA, Youmi originally tried obfuscating a call to collect the name of the app running on a device at any given time. Once that was successful, apparently Youmi was able to hide other data collection with the same method.
Unfortunately, the evidence suggest that many of the actual app developers may have had no idea that the software was secretly collecting data. Apple has said it will work with app developers to update the apps and ensure they are safe for customers, but until that time, the apps will remain banned.
Most of the apps were based in China, making it a relatively isolated incident. More worrying are the implications that the method used to hide the data collection from Apple was fairly simple, yet went unnoticed for more than two years. SourceDNA points out that there may be other apps using different but related schemes for collecting illicit data.
In late September 2015, the App Store faced an unprecedented attack, when dozens of (mostly) Chinese apps were infected with malware, calling into question Apple’s strict control over the apps allowed in its store and on its devices.
This article was written by Bernard Marr from Forbes and was legally licensed through the NewsCred publisher network.