Privacy , Risk Management , Technology

Apple Squashes Apps for Secretly Tracking Users

Chinese Mobile Ad Network Youmi Apologies For Two-Year Tracking Campaign
Apple Squashes Apps for Secretly Tracking Users

Apple has removed hundreds of apps from its App Store after learning that they were using a Chinese software development kit that allowed them to access personal data, including email addresses and unique identification numbers, stored on iOS devices.

See Also: Data Center Security Study - The Results

The developer behind the SDK, Chinese mobile advertising firm Guangzhou Youmi Mobile Technology Co., has offered "sincere apologies" for the tracking and promised to alter the software development kit used to build offending apps.

In a statement, Apple said that the apps violated the company's prohibition on collecting user data and that it would reject all new submissions to the App Store that were developed using Youmi's SDK. "We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server," Apple said. "This is a violation of our security and privacy guidelines. The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected."

Apple did not immediately respond to a request for comment about how many apps it excised from the App Store.

256 Offending Apps Found

The Youmi SDK behavior was first spotted by code analytics firm SourceDNA, which reported in an Oct. 18 blog post that it found 256 apps - downloaded an estimated 1 million times - that were using a version of the Youmi SDK that violated Apple's developer guidelines. It says the prohibited tracking behavior appears to have begun about two years ago.

SourceDNA says that the affected developers are located in China. It notes that they likely had no idea that the SDK was violating Apple's guidelines, "since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi's server," rather than being transmitted to a developer's own servers.

To prevent developers from tracking individual iOS users, "Apple has been locking down private APIs, including blocking apps from reading the platform serial number in iOS 8," SourceDNA says (see Apple iOS 8: What's New for Security?). But it says Youmi evaded those new measures by identifying various peripheral devices, such as batteries, attached to an iOS device and then relaying the unique serial numbers for those peripheral devices back to its servers, enabling it to track individual iOS users.

Apple says that it is working to identify any developers that used the Youmi SDK "to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly."

Youmi issued a Chinese-language statement Oct. 20 apologizing for the incident and claiming that it had never collected personally identifiable information. The company also said it is working with Apple to resolve the issue and that it would compensate affected developers. "For those products that have been temporarily taken down, we will provide reasonable compensation once this matter has been properly resolved," Youmi said in its statement, Dow Jones reports.

Follows XcodeGhost Malware Outbreak

The Youmi-tracking warning follows the XcodeGhost malware outbreak that came to light in September (see Apple Malware Outbreak: Infected App Count Grows). Security researchers reported that 4,000 or more apps available from the App Store - including at least 76 of the top 5,000 apps in Apple's China app store - were infected with XcodeGhost.

The malware infection was traced to a pirated copy of Apple's official Xcode tool - used to compile iOS and Mac OS X apps - which had been altered to include malicious code in every compiled app. Apple quickly blocked all apps that had been built with the unauthorized version. According to Apple, there were no signs that the malware had actually done anything malicious or stolen any PII.

But in a research note, threat-intelligence firm iSight Partners says that the Youmi SDK and XcodeGhost revelations raise "questions about possible weaknesses in the store's vetting process."

YiSpecter Threat

Earlier this month, meanwhile, security vendor Palo Alto Networks warned that it had discovered malware, dubbed YiSpecter - in the wild for at least 10 months - which could successfully exploit both jailbroken and non-jailbroken iOS devices.

"It's the first malware we've seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities," Palo Alto Networks researcher Claud Xiao says in a blog post. "So far, the malware primarily affects iOS users in mainland China and Taiwan. It spreads via unusual means, including the hijacking of traffic from nationwide ISPs, an SNS worm on Windows and an offline app installation and community promotion."

So far, it's unclear how many devices may have been infected by the malware. Apple has downplayed the risk, noting that it added related defenses to iOS 8.4, which was released in June. "This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources," Apple said in a statement. "We addressed this specific issue in iOS 8.4, and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network