Apple App Store
Apps using Youmi ad SDK affects hundreds of apps in Apple App Store Reuters

Hundreds of iOS apps in Apple's App Store have been found to be collecting users' personal information and violating Apple's security and privacy guidelines. These mischievous apps use third-party advertising SDK by Youmi, which is a mobile advertising provider in China. The personal information collected include email ID, installed apps and serial number of the device via private APIs (Application Program Interface).

The developers of these apps are basically from China and completely unaware of this issue since the SDK is delivered in binary form and the user information is uploaded to Youmi's server, not that of the apps.

The apps that extract personal information through private APIs were first discovered by analytics firm SourceDNA while adding support to Searchlight to scan private API usage. The firm claims to have found some 256 apps, estimating a total of one million downloads. These apps have at least one version of Youmi that violates user privacy. It further suggests these developers must stop using this SDK until the code is removed. The following is the kind of information collected by the Youmi advertising SDK:

  • Enumerate the list of installed apps or get the frontmost app name
  • Get the platform serial number
  • Enumerate devices and get serial numbers of peripherals
  • Get the user's AppleID (email)

"This is the first time we've found apps live in the App Store that are violating user privacy by pulling data from private APIs. This is actually an obfuscated toolkit for extracting as much private information as it can. It's definitely the kind of stuff that Apple should have caught," Nate Lawson, the founder of SourceDNA explained to Ars Technica.

This discovery by SourceDNA comes just a month after the XcodeGhost malware attack on the App Store. XcodeGhost, which attacks non-jailbreakable iOS devices as well, collects system and app information and uploads to the server. Apple, however, immediately removed the apps that were affected by the malicious software.

Nate Lawson says the XcodeGhost had the ability to open URLs through a command and control server and then spread the malicious actions on an affected iPhone. But it did not involve private APIs and the opening of the URL is carried out by legitimate apps.

Meanwhile, Apple has acknowledged the issue. In a statement issued to SourceDNA, Apple said that it has already identified the apps which will be removed from the App Store.

Apple said: "We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly."