Apple removes 256 apps found to be collecting personal data

Only a few weeks after the malware known as XcodeGhost was found to be affecting apps on the App Store, Apple has removed another 256 apps found to be collecting personal user information. The analytics service, SourceDNA, has discovered that hundreds of apps in the App Store were using an advertising SDK from China to collect personal data, such as Apple ID email addresses and other private information used to track users. It is estimated that around one million people have downloaded the apps.

"This is the first time we've found apps live in the App Store that are violating user privacy by pulling data from private APIs," Nate Lawson, the founder of security analytics startup SourceDNA, told Ars Technica. "This is actually an obfuscated toolkit for extracting as much private information as it can. It's definitely the kind of stuff that Apple should have caught."

Apple released the following statement shortly after SourceDNA went public with its findings.

"We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly."

The apps in question violated Apple's App Store privacy policy by collecting a list of all apps installed on a user's device, the email addresses associated with a user's ID and a list of device serial numbers, according to Ars Technica.

Lawson also noted that the app developers did not realize the SDK was collecting information.

"McDonald's in China didn't do this on purpose," Lawson explained. "They installed this SDK to show ads, and the SDK vendor is using that privileged position in the app to collect data on all users who use their app."