Only a few weeks after the malware known as XcodeGhost was found to be affecting apps on the App Store, Apple has removed another 256 apps found to be collecting personal user information. The analytics service, SourceDNA, has discovered that hundreds of apps in the App Store were using an advertising SDK from China to collect personal data, such as Apple ID email addresses and other private information used to track users. It is estimated that around one million people have downloaded the apps.
"This is the first time we've found apps live in the App Store that are violating user privacy by pulling data from private APIs," Nate Lawson, the founder of security analytics startup SourceDNA, told Ars Technica. "This is actually an obfuscated toolkit for extracting as much private information as it can. It's definitely the kind of stuff that Apple should have caught."
Apple released the following statement shortly after SourceDNA went public with its findings.
Lawson also noted that the app developers did not realize the SDK was collecting information.
Newest iPhone FAQs
"McDonald's in China didn't do this on purpose," Lawson explained. "They installed this SDK to show ads, and the SDK vendor is using that privileged position in the app to collect data on all users who use their app."