Apple Removes Over 250 iOS Apps With Ad SDK That Collects Personal User Data

19 Oct 2015 | Author: | No comments yet »

3rd-party ad APIs from China illegally collected data from hundreds of App Store titles.

App analytics firm SourceDNA just discovered evidence that hundreds of apps in the iOS App Store are collecting a whole bunch of identifying data about you in violation of Apple’s privacy policy.Hundreds of iOS applications have been pulled out of the App Store, following a report from analytics service SourceDNA, which uncovered a group of applications that were extracting users’ personally identifiable information, including their email associated with their Apple ID, device and peripheral serial numbers, and a list of apps installed on their phone.

China continues to present some unusual challenges for Apple, which confirmed that it has removed apps that collected private user data such as email addresses and device identifiers. The applications in question had been using an SDK from a Chinese advertising company called Youmi which was accessing this information by way of private APIs, the report found. The code got into these apps through the inclusion of a mischievous third-party advertising SDK, which secretly stored this data and sent it off to its own servers.

The apps, which at most recent count totaled 256, are significant because they expose a lapse in Apple’s vetting process for admitting titles into its highly curated App Store. Apple has confirmed that the SourceDNA report contributed to its removing all of the apps that included the advertising SDK from the store, as using private API calls is a breach of App Review Guidelines. However, the larger concern here has to do with how long this activity had been taking place – and what that means in terms of Apple’s App Store review process, given that it hadn’t caught this suspect activity until being alerted to it by a third-party.

Developers using an infected version of Apple’s Xcode, which is used to build iOS apps, were unknowingly allowing malware to potentially phish your iCloud and Apple ID information. Youmi’s data collection efforts appear to extend back almost two years, and may have become more brazen over time, with new tricks to hide activities and circumvent Apple security methods. Earlier this month, Apple found that some content-blocking apps were installing root certificates on your iPhone to block ads in other apps, not just Safari.

And when it realized that it was able to get this through Apple’s App Review process, it then began to use the same obfuscation technique to request other data, including the advertising ID. The App Store’s reputation for being a safe haven has come under serious fire in the past month, with incidents like vulnerabilities in content blockers and the YiSpecter and XcodeGhost malware infections undermining confidence. The ad ID can be accessed for tracking ad clicks, but given that Youmi was surreptitiously collecting it, the firm may have been using it for other purposes, the report speculates. In addition, SourceDNA noted that while Apple had been locking down private APIs in order to prevent apps from reading the platform serial number in iOS 8, Youmi worked around this by enumerating peripheral devices, like the battery system.

The developers, frustrated with the long load times for Apple’s Xcode, turned to the unauthorized version that was more quickly available online — but contained hidden malware. China is an increasingly important market for Apple, accounting for 20 percent of the Cupertino technology giant’s revenue in the most recent quarter. Lawson said all the information collected by these so-called XcodeGhost apps were things allowed by Apple and didn’t involve using restricted programming interfaces built into iOS. And like other foreign companies, Apple adheres to the government’s strict regulations — reportedly prompting it to disable the mobile news app in China, where the media is tightly regulated.

The XcodeGhost apps did have the ability to open URLs specified by a command and control server, and that could have been used to carry out malicious actions on an affected iPhone. But once again, Lawson said that no private API was involved and that the opening of URLs is already carried out by legitimate apps. “When you click on a URL in your browser and the Yelp app opens to that restaurant, that’s what it’s doing,” he explained. Developers probably didn’t realize Youmi’s SDK was pulling private data, the analytics firm said, because the info the app collects is routed to Youmi’s server, not the app’s. Apple’s admission that its App Store hosted apps that installed such root certificates that could bypass the transport layer security protections of other apps almost certainly exposed a separate hole in the company’s security vetting process. The advertising tool kit that acquires the data is provided by Youmi, a company that’s not easy to contact, since its website is written almost entirely in Chinese.

The developer kit is made available as a binary file that uses a digital cloak of sorts to obscure the data-gathering functions from the developers who incorporate the Youmi code into their apps. They installed this SDK to show ads, and the SDK vendor is using that privileged position in the app to collect data on all users who use their app.” Except for the McDonald’s app, the SourceDNA blog post announcing the discovery doesn’t list the offending apps by name, although Lawson said the company has privately provided a list to Apple representatives.

Here you can write a commentary on the recording "Apple Removes Over 250 iOS Apps With Ad SDK That Collects Personal User Data".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site