SourceDNA which is a code analytics platform, has identified hundreds of apps on the App Store that were collecting private user data like email addresses and device identifiers which bypassed the Apple’s radar in the approval process. This code got into these apps through a third-party advertising SDK (Software Development Kit), which has secretly stored personal data and sent it off to its own servers.
The SourceDNA report has been verified by Apple and it’s now removing all the apps that included the advertising SDK. In response to this bypass, Apple has patched its approval processes to prevent any further infected apps to make it into the App Store.
The advertising SDK comes from Youmi, a Chinese advertising company as related in a statement released by Apple: “We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines.”
As Youmi has become more confident over time, because its SDK was not easily discovered, it started using various APIs to collect serial numbers, Apple ID emails and lists of installed apps. By using its binary search tools, SourceDNA officially found 256 apps that contained the malicious advertising SDK, which has slipped through Apple’s approval process for over two years. SourceDNA is worried that there might be other cases of similar behavior, undetected, already on App Store.