Apple has removed 256 apps from the App Store after a data analytics company reported that the Chinese firm Youmi was using code in the apps to gather personally identifiable information.
On Oct. 18, SourceDNA wrote about the vulnerability, which they had found while updating a feature to Searchlight, a product which scans apps for private API usage, something that usually gets your app banned from the App Store.
In an analysis of their binary signatures, SourceDNA found that all the compromised apps shared the same codebase from the Youmi’s advertising software development kit (SDK). Youmi was able to access personal information from nearly 1 million users, including which apps they had downloaded, their platform serial numbers, Apple ID, and the serial numbers of device peripherals such as the battery system.
“We believe the developers of these apps aren’t aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi’s server, not the app’s,” SourceDNA wrote in a blog post. Most of the developers were also from China.
An analysis of the release dates of the apps and their codebases pinpointed the date that Youmi started experimenting with private API usage to around two years ago; 142 of the 256 apps were not affected by private API usage, but were also banned from the App Store on Monday.
“The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected,” Apple said in a statement released to SourceDNA. “We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
The Youmi SDK codebase also modified how it made requests for advertising IDs, which is permissible for tracking ad clicks, suggesting that they were using it for something else.
A week before SourceDNA reported the vulnerability, a group of researchers at Purdue University had published a report that referenced the same problem, after vetting 2,000 apps through their custom-built review process. The researchers stated that the App Store’s official vetting process was flawed and needed an upgrade, a conclusion shared by SourceDNA.
“Given how simple this obfuscation is and how long the apps have been available that have it, we’re concerned other published apps may be using different but related approaches to hide their malicious behavior,” the company wrote.
