Researchers find more than 250 Apps listed on Apple’s App Store to be slurping user data
Apps made using Youmi SDK were found to be slurping massive amount of data costing users hundreds of dollars were discovered by researchers. Youmi is a China-based mobile advertising provider whose software development kit (SDK) uses private APIs to gather user and device information according to SourceDNA researchers.
Apps with Youmi SDK were found to be listed though Apple explicitly prohibits app developers to make their apps call private APIs. Apple normally spots such kind of behaviour,when the app is submitted for approval to be included in the App Store.
According to security analytics company SourceDNA, who alerted Apple about this problem, some 250+ apps with an estimated total of 1 million downloads have been built on the problematic SDK.
“The older versions [of the SDK] do not call private APIs, so the 142 apps that have them are ok. But almost two years ago, we believe the Youmi developers began experimenting with obfuscating a call to get the frontmost app name,” SourceDNA researchers noted.
According to researchers, once the Apps passed the review, they started adding the following behaviors, and made the apps capable of enumerating the list of installed apps or get the frontmost app name, getting the platform serial number, enumerating devices and get serial numbers of peripherals, and getting the user’s AppleID (email).
“They also use the same obfuscation to hide calls to retrieve the advertising ID, which is allowable for tracking ad clicks, but they may be using it for other purposes since they went to the trouble to obfuscate this,” the researchers stated.
Apple has already informed about Youmi SDKs and its flawed App vetting process by Purdue University. A group of researchers from Purdue University, Indiana, discovered the same pattern and attributed it to the Youmi SDK. They also proposed a new iOS application vetting system that should detect this type of attack.
Taking action on SourceDNA and Purdue University findings,, Apple has reportedly already removed unspecified number of apps from the App Store following this discovery.
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines,” the company stated.
“The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
More likely than not, the developers of these removed apps weren’t even aware of the fact that their apps were extracting this information and sending it to the creators of the SDK.