More than 250 apps collecting personal data removed from App Store
The affected apps were mostly China-based and gathered information such as email addresses, unique serial numbers, etc that could be used to track users
Apple has started removing more than 250 apps from its App Store after it was found that the apps were collecting personal data. The apps were gathering information such as email addresses, unique serial numbers and other personally identifying information that could be used to track users. The collection of such data is in violation of Apple’s privacy policy as the company does not allow third-party applications to share data without obtaining permission from the user. It also rejects apps that require users to share personal information such as email addresses or birth dates.
A Chinese mobile ad provider named Youmi was the developer that was siphoning information. The affected apps are mostly China-based and included the official McDonalds app for Chinese speakers. Apple released a statement saying, “We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
The apps were detected by SourceDNA, a security analytics startup. Its researchers found four major classes of information that were gathered by apps using the Youmi ad SDK. This included a list of all the apps installed on the phone, the platform serial number of iPhones and iPads when running older versions of iOS, list of hardware components as well as their serial number on devices running newer versions of iOS, and email address associated with the user’s Apple ID.
Last month, Apple was cleaning the App Store of more than 300 applications that were affected by a malicious program called XcodeGhost. The code affected iPhone and iPad programs. The program was embedded in a number of legitimate apps in the Store and developers of the apps unknowingly added the code by using a ‘tainted’ version of Xcode. Xcode is Apple’s own software that is used to create apps for iOS and OS X. Although Apple did not make an official statement as to the number of apps that were affected, a Chinese security firm called Qihoo360 said that it found 344 apps with XcodeGhost.
Source: Ars Technica