A Chinese advertising company called Youmi provided app makers with a software development kit [SDK] that could gather information on what apps a user had downloaded, their email address and serial numbers for their smartphone, according to mobile security company SourceDNA (h/t TechCrunch). Those apps in total had been downloaded more than one million times.
Most of the developers using Youmi’s SDK are based in China, and might not even have been aware they were running afoul of Apple’s security and privacy guidelines.
“We believe the developers of these apps aren’t aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi’s server, not the app’s. We recommend developers stop using this SDK until this code is removed,” SourceDNA says in the blog post.
How did Apple’s review process allow these apps to slip through? It’s unclear, though SourceDNA believes its likely that Youmi had been tinkering around for years trying to come up with a way to tap into iOS’ restricted application programming interfaces (APIs) to cull info only Apple should be able to see. Youmi pushed the limits of its SDK, and once it got through the Apple review process, it likely got the confidence it needed to change it up and enable it to collect information.
SourceDNA alerted Apple submitted their report to Apple, and Apple responded by banning the apps in question. Any developers who used YOumi’s SDK are working with Apple now to get their apps updated so they comply with Apple’s guidelines, which will allow them to put their apps back in the App Store.
“This is a violation of our security and privacy guidelines,” Apple said in its statement. “The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
by Mary Beth Quirk via Consumerist