256 apps using a Chinese advertising software development kit (SDK) have been removed from Apple's App Store for collecting an extensive amount of personal data against App Store rules.
The App Store has had a rough fall. First, a "hack" (really more of an experiment gone awry) saw thousands of Chinese-made apps compromised with a devious but ultimately largely harmless malware called XcodeGhost.
The apps were said to have gathered user email addresses, device identifiers, and other data and sent it back to Youmi, a mobile advertising provider. This wasn't an accident either. Nate Lawson, founder of security analytics firm SourceDNA, told Ars Technica that it was "an obfuscated toolkit for extracting as much private information" as possible.
The data was never sent to app developers using the SDK, and it's likely that they never even knew about it. They were just trying to show ads and make some money.
In a statement to Ars, Apple said that the apps using the SDK have been removed from the App Store and that any apps using it in the future will be rejected, effectively banning Youmi from the store.
According to SourceDNA, the data gathering had been going on for months, getting progressively more intrusive. Youmi could get a list of all apps installed on a phone, the platform serial number of devices if they were running an older version of iOS, a list of hardware and serial numbers running on devices with a newer version of the iOS, and the email address associated with the user's Apple ID.
Aside from a Chinese-language version of the McDonald's app, none of the apps have been publicly revealed. Since the SDK was made for Chinese speakers by a Chinese firm, it's unlikely that English-speaking iOS users will be affected by this privacy breach unless they are installing Chinese-developed apps.
There is an increased security risk for users jailbreaking their devices, as their devices are left almost completely unprotected against hackers and government-sponsored spy agencies.
Apple has frequently noted that its App Store is more secure than other app repositories because it checks each app before it goes live, both for security flaws and to ensure that apps meet its rigorous quality guidelines. Incidents like this one and the XcodeGhost malware last month raise doubts about the thoroughness of Apple's quality controls on the store.
Are you concerned about your iOS devices being compromised or your privacy being invaded? Let us know your thoughts in the comments.
- Most users in the US don't need to worry about XcodeGhost App Store malware
- XcodeGhost malware more widespread than previously believed
- Apple finally blocks iOS beta users from leaving reviews on the App Store
- Apple loosens App Store guidelines, allows task launching app into Notification Center
- Security and privacy: New challenges (ZDNet/TechRepublic special feature)
Jordan Golson is an Apple Columnist for TechRepublic. He also writes about technology and automobiles for WIRED and MacRumors. He has worked for Apple Retail twice and has been writing about technology since 2007.