Apple Removes Over 250 iOS Apps With Ad SDK That Collects Personal User Data

by

SourceDNA, an analytics service that tracks iOS and Android code, has discovered hundreds of iOS apps that collect personally identifiable user information, including Apple ID email addresses and device identifiers, through a Chinese third-party advertising SDK called Youmi that is prohibited by App Store guidelines.

App-Store-About
The analytics firm, using its new developer tool Searchlight, found 256 affected apps, with an estimated 1 million total downloads, using one of the versions of Youmi in violation of user privacy. Its report claims most of the developers who used the SDK are located in China, and that many were likely unaware of the threat since the tool kit is delivered in binary form and obfuscated.

Ars Technica explained in more detail about the information gathered "gradually over the past year or so" by apps using Youmi:

SourceDNA researchers found four major classes of information gathered by apps that use the Youmi ad SDK. They include:

1. A list of all apps installed on the phone
2. The platform serial number of iPhones or iPads themselves when they run older versions of iOS
3. A list of hardware components on devices running newer versions of iOS and the serial numbers of these components, and
4. The e-mail address associated with the user’s Apple ID

The personal info is reportedly gathered via private APIs and then routed through Youmi's servers in China.

Apple released a statement saying it will remove apps with Youmi from the App Store, and reject future submissions using the SDK:

“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

SourceDNA sent a full list of affected apps to Apple, including the official McDonald's app in China, but did not share it publicly. Developers can check if their apps are affected using the analytics firm's Searchlight tool.

This discovery comes weeks after iOS malware XcodeGhost was disclosed, which arose from a malicious version of Xcode, Apple's official tool for developing iOS and OS X apps. Apple also patched YiSpecter malware in iOS 8.4.

Tags: App Store, China, SDK, SourceDNA, Youmi

Popular Stories

New Things Your iPhone Can Do in iOS 18

18 New Things Your iPhone Can Do in iOS 18.2

Wednesday November 13, 2024 2:09 am PST by
Apple is set to release iOS 18.2 next month, bringing the second round of Apple Intelligence features to iPhone 15 Pro and iPhone 16 models. This update brings several major advancements to Apple's AI integration, including completely new image generation tools and a range of Visual Intelligence-based enhancements. There are a handful of new non-AI related feature controls incoming as well....
Read Full Article25 comments
M4 MacBook Pros Thumb

M4 MacBook Pro Uses Quantum Dot Display Technology

Thursday November 14, 2024 4:19 pm PST by
The M4 MacBook Pro models feature quantum dot display technology, according to display analyst Ross Young. Apple used a quantum dot film instead of a red KSF phosphor film, a change that provides more vibrant, accurate color results. Young says that Apple has opted for KSF for prior MacBook Pro models because it doesn't use toxic element cadmium (typical for quantum dot) and is more...
Read Full Article98 comments
AirPods Crackling Feature

Apple Customers Sue Over Unfixed AirPods Pro Crackling Issue

Wednesday November 13, 2024 11:01 am PST by
A trio of Apple customers this month filed a class action lawsuit against Apple, accusing the Cupertino company of violating California consumer protection laws and false advertising for continuing to sell AirPods Pro models that had ongoing issues with crackling or static sounds. A few months after the AirPods Pro came out in October 2019, buyers began to complain about crackling, rattling, ...
Read Full Article133 comments
google gemini

Google Releases Standalone Gemini AI App for iPhone

Thursday November 14, 2024 2:54 am PST by
Google has launched its dedicated Gemini artificial intelligence app for iPhone users, expanding beyond the previous limited integration within the main Google app. The standalone app offers enhanced functionality, including support for Gemini Live and iOS-specific features like Dynamic Island integration. The new app allows iPhone users to interact with Google's AI through text or voice...
Read Full Article72 comments
airtag purple

New AirTag Rumored to Launch in Mid-2025 With These Features

Sunday November 17, 2024 5:18 am PST by
Apple released the AirTag in April 2021, so it is now three over and a half years old. While the AirTag has not received any hardware updates since then, a new version of the item tracking accessory is rumored to be in development. Below, we recap rumors about a second-generation AirTag. Timing Apple is aiming to release a new AirTag in mid-2025, according to Bloomberg's Mark Gurman....
Read Full Article40 comments

Top Rated Comments

jettredmont Avatar
jettredmont
119 months ago
through a Chinese third-party advertising SDK called Youmi ('https://www.youmi.net/')
So, another issue with wide swathes of apps from China. Not to be nationalist over this, but it seems there is a clear disease running through China putting its product on par with former-Soviet countries in terms of general trustability. The fact that this private information is being sent through the Great Firewall of China and not being hindered by that at all seems significant (Chinese developers complain that it is too slow to download Xcode across that firewall, but sending all this data from millions of phones and devices around the world to their servers over the same firewall is business as usual?)

"Something is rotten in the state of Denmark" seems an understatement.

I trust any corporation about as far as I can throw them, but it seems those residing in China give even less of a pause before assuming that anything they can grab is fair game.

When will apps start displaying "Designed and developed in the USA" badges?
Score: 20 Votes (Like | Disagree)
doboy Avatar
doboy
119 months ago
These apps should be banned, but doesn't sound too serious. Google likely collects more data ;)
Score: 17 Votes (Like | Disagree)
asmartkid82 Avatar
asmartkid82
119 months ago
I think the real question is: How many apps (and how long) have been making use of private APIs using similar techniques? How many apps do we have in our devices that have bypassed App Store validation using similar procedures? And I assure you, as a developer, that this is not a difficult thing to do at all…
Score: 13 Votes (Like | Disagree)
Benjamin Frost Avatar
Benjamin Frost
119 months ago
Good to see apps taking personal data being removed.

Presumably FaceBook and Google will be next on the list.
Score: 11 Votes (Like | Disagree)
Rigby Avatar
Rigby
119 months ago
How did these get approved in the first place? It seems something like this should be pretty easy to detect by Apple.
It isn't. In Objective C it's possible to construct API calls at runtime, so there's no easy way to discover them using static code analysis. And you can implement various methods to try and avoid making the calls while the app is in the review process.
Score: 7 Votes (Like | Disagree)
2457282 Avatar
2457282
119 months ago
Why does Apple allow these private APIs to begin with? Is it not something they can disable to avoid this problem in the future? I mean the reality is that you do not need the SDK to leverage the APIs. If you are an app developer you could write code to leverage them directly. How is Apple monitoring for this?
Score: 7 Votes (Like | Disagree)
Read All Comments