Apple recently pulled 256 applications from the iTunes App Store that were built using a fishy third-party SDK and were providing personal information to an advertiser. While the apps are no longer available, they do show the vulnerabilities of app stores that try to filter dangerous apps in the first place.
The apps built using a third-party SDK were first spotted by SourceDNA, which “disassembles and indexes the behavior of code in millions of apps,” according to the company’s website. SourceDNA found that 256 applications built using an SDK provided by advertising network Youmi were collecting AppleIDs, peripheral serial numbers, platform serial numbers and lists of installed apps and sending that data up to Youmi.
“Most of the developers are located in China,” SourceDNA said, noting that it doesn’t believe the individual app developers knew of the malicious code or data being sent up to Youmi. “We recommend developers stop using this SDK until this code is removed,” the site said. Combined, the apps were downloaded more than 1 million times.
Apple has since responded and has pulled all of the apps that used the Youmi SDK.
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server,” Apple said in a statement to SourceDNA. “This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
The full list of malicious apps was not disclosed by Apple.