TechCrunch reports that analytics service SourceDNA uncovered the large group of potentially malicious applications after noticing they were accessing sensitive data such as Apple ID email addresses, lists of currently installed apps and details of device serial numbers. SourceDNA has torn apart and indexed the code in millions of apps but said it is the first time it has seen products written for iOS successfully accessing user data and still making it into the store.
All the applications in question are written by Chinese developers and use an advertising SDK by a firm called Youmi. The SDK includes several ways of accessing data that Apple usually hides away. Youmi has successfully created private APIs that work around Apple’s limitations to gain access to serial numbers and app lists. SourceDNA says 256 apps were found using the invasive version of the SDK, totalling around 1 million downloads.
Youmi seems to have been planning ways of getting its code into the store for some time. SourceDNA thinks the company began with a limited trial of its abilities, starting two years ago by releasing an SDK version capable of detecting the name of the currently running app on an iPhone. When this already-questionable program got past the App Store approval process, the developers began to add in the other features like serial number and email address access.
With the possibility of users having been exposed to this threat for nearly two years, doubt has been cast on the processes used by Apple to approve developer submissions. The activity could still be continuing today if SourceDNA, a third-party company, hadn’t alerted Apple to the presence of the hundreds of potentially malicious apps in its usually secure ecosystem. Company founder Nate Lawson told news site Ars Technica today: “This is actually an obfuscated toolkit for extracting as much private information as it can. It’s definitely the kind of stuff that Apple should have caught.”
Apple wrote in a statement that it has now removed all the apps and will be rejecting any further submissions using the Youmi SDK. It said: “We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
SourceDNA also credited a research report published last week as helping in the investigation into Youmi’s SDK. iRiS: Vetting Private API Abuse in iOS Applications used different approaches to SourceDNA but still established that Youmi was behind the observed collection of private data in iOS apps.
It is unknown what Youmi was doing with the data it harvested. Although its service purported to be an ad SDK, the inclusion of code to gather email addresses and serial numbers suggests there may have been more sinister things happening behind the scenes than just detecting when users click on banners in apps.
SourceDNA says that the simplicity of Youmi’s method — obfuscating binary code so the App Store approval process doesn’t notice its malicious intent — could mean there are other similar products already in the wild. It says it will be continuing to search for signs of any other private API usage on iOS and will alert Apple of any future developments.
