Analytics Service SourceDNA has dropped a bombshell that has recently led to the expulsion of hundreds of iOS applications from the app store. Apparently, a group of apps that have been uncovered in a report by SourceDNA, had been quietly siphoning private data off their host devices using a SDK from Chinese advertising firm Youmi.
As per a report published by SourceDNA,
We’ve found hundreds of apps in the App Store that extract personally identifiable user information via private APIs that Apple has forbidden them from calling. This is the first time we’ve seen iOS apps successfully bypass the app review process. But, based on what we learned, it might not be the last.
The implicated applications were able to get personal details, like the emails associated with the User’s Apple ID, serial numbers of device and peripherals, and a list of apps installed on their phone.
According to SourceDNA, the said apps were able to access personal information by using Private APIs — Something explicitly in violation of our security and privacy guidelines. However, what is even more worrisome, is the fact that these applications were able to make their way through Apple’s app review system without a hitch, raising serious doubts about the reliability of the system.
Indeed, Apple became aware of the fact only after SourceDNA contacted it after noticing the presence of private APIs in app codes while updating its Searchlight product to check for use of the same. Apple quickly took action and reached out to the latter, indicating that the apps using the Private APIs — which incidentally, numbered 256 and had been cumulatively downloaded over a million times— from Youmi had been shown the door.
We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines.
The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.
However, the fact that Apple — which prides itself on its top-notch Security and Privacy related features –was unable to discover these apps until tipped by a third-party, is liable to cause serious concerns. Thankfully though, the incident appears to have been isolated and has been nipped in the bud, courtesy SourceDNA’s vigilance.
According to the latter, the process of uploading apps infested with private APIs may have been going on since a year and a half. However, the company did suggest that it is all too possible that the app developers were themselves in the dark about the nature of the SDK they were using to develop their apps.
We believe the developers of these apps aren’t aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi’s server, not the app’s.
So where does the blame lie? Apparently, Youma has been experimenting with something like this since the past couple of years. The company started with obfuscating a call to get the frontmost app name. Once an app with this ability ingrained in its DNA made it through Apple’s app review system, Youma got bolder and immediately added to the capabilities of the Private APIs, so that they were soon able to:
- Enumerate the list of installed apps or get the frontmost app name
- Get the platform serial number
- Enumerate devices and get serial numbers of peripherals
- Get the user’s AppleID (email)
The upshot of all this being that developers using SDK downloaded via Youma found themselves unknowingly developing applications that sent all kinds of private data from its host device to the Youma servers. What’s more, since Apple’s app review system failed to spot this, there is no saying what else may have sneaked its way in past the system.
Looking at the situation, it seems to be vital that Apple along with various third-party analytic services step up its game, in order to be able to foil the plots of Youma like organizations that seek to illegally and forcefully avail information for their own personal gains.
SourceDNA is well aware of the facts and takes a similar view of the situation.
Given how simple this obfuscation is and how long the apps have been available that have it, we’re concerned other published apps may be using different but related approaches to hide their malicious behavior. We’re continuing to add new features to our engine to discover anomalous behavior in app code and find out if this is the case.