Apple has recently removed 256 apps from its app store, after it has been discovered by a few researchers that these programs have the ability to collect private user data.
In an investigation by SourceDNA, a Y Combinator startup, the apps can collect information like email addresses, Apple IDs, and device identification numbers. Moreover, it was discovered that most of the apps came from China, and was utilizing a software development kit (SDK) created by Youmi, a Chinese advertising firm. Most of the developers were not aware of the lingering security breach in their app, according to the startup.
The API performed four things without the user's consent, according to SourceDNA. They are:
Enumerate the list of installed apps or get the frontmost app name
Get the platform serial number
Enumerate devices and get serial numbers of peripherals
Get the user’s Apple ID (email)
Apple has since then offered a statement, which reads:
We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected.
The Cupertino-based company prohibits the use of application program interfaces (APIs) that perform such an act, but the exploit was finally utilized after Youmi's software passed the company's review process. Apple did not name any of the apps, which were reportedly downloaded over 1 million times, but has stated that they are currently working with developers to have their apps updated, to versions that are safe for its customers, as well as compliant to the App Store's guidelines.
This Apple security exploit comes after the iOS App Store Xcode fiasco, where a compromised version of Xcode, the official iOS app developer tool, was used in order to serve malware to users.
Note: The article was edited shortly after publishing to correct the Xcodeghost error. The malware apparently had no capability to hijack passwords from users. Apologies!