Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
64,887
33,048



SourceDNA, an analytics service that tracks iOS and Android code, has discovered hundreds of iOS apps that collect personally identifiable user information, including Apple ID email addresses and device identifiers, through a Chinese third-party advertising SDK called Youmi that is prohibited by App Store guidelines.

App-Store-About.jpg

The analytics firm, using its new developer tool Searchlight, found 256 affected apps, with an estimated 1 million total downloads, using one of the versions of Youmi in violation of user privacy. Its report claims most of the developers who used the SDK are located in China, and that many were likely unaware of the threat since the tool kit is delivered in binary form and obfuscated.

Ars Technica explained in more detail about the information gathered "gradually over the past year or so" by apps using Youmi:
SourceDNA researchers found four major classes of information gathered by apps that use the Youmi ad SDK. They include:

1. A list of all apps installed on the phone
2. The platform serial number of iPhones or iPads themselves when they run older versions of iOS
3. A list of hardware components on devices running newer versions of iOS and the serial numbers of these components, and
4. The e-mail address associated with the user's Apple ID
The personal info is reportedly gathered via private APIs and then routed through Youmi's servers in China.

Apple released a statement saying it will remove apps with Youmi from the App Store, and reject future submissions using the SDK:
"We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly."
SourceDNA sent a full list of affected apps to Apple, including the official McDonald's app in China, but did not share it publicly. Developers can check if their apps are affected using the analytics firm's Searchlight tool.

This discovery comes weeks after iOS malware XcodeGhost was disclosed, which arose from a malicious version of Xcode, Apple's official tool for developing iOS and OS X apps. Apple also patched YiSpecter malware in iOS 8.4.

Article Link: Apple Removes Over 250 iOS Apps With Ad SDK That Collects Personal User Data
 

asmartkid82

macrumors newbie
Jun 9, 2015
15
27
I think the real question is: How many apps (and how long) have been making use of private APIs using similar techniques? How many apps do we have in our devices that have bypassed App Store validation using similar procedures? And I assure you, as a developer, that this is not a difficult thing to do at all…
 

jettredmont

macrumors 68030
Jul 25, 2002
2,731
328
through a Chinese third-party advertising SDK called Youmi

So, another issue with wide swathes of apps from China. Not to be nationalist over this, but it seems there is a clear disease running through China putting its product on par with former-Soviet countries in terms of general trustability. The fact that this private information is being sent through the Great Firewall of China and not being hindered by that at all seems significant (Chinese developers complain that it is too slow to download Xcode across that firewall, but sending all this data from millions of phones and devices around the world to their servers over the same firewall is business as usual?)

"Something is rotten in the state of Denmark" seems an understatement.

I trust any corporation about as far as I can throw them, but it seems those residing in China give even less of a pause before assuming that anything they can grab is fair game.

When will apps start displaying "Designed and developed in the USA" badges?
 

2457282

Suspended
Dec 6, 2012
3,327
3,015
Why does Apple allow these private APIs to begin with? Is it not something they can disable to avoid this problem in the future? I mean the reality is that you do not need the SDK to leverage the APIs. If you are an app developer you could write code to leverage them directly. How is Apple monitoring for this?
 

DotCom2

macrumors 603
Feb 22, 2009
6,259
5,541
The Chinese government is gonna take over the world one day!
They are smart, dedicated, determined and RUTHLESS!:eek::eek::eek:
 
  • Like
Reactions: rugmankc

mdlooker

macrumors 65816
Mar 7, 2011
1,227
203
US
Nice! It may be a bit of a nuisance at first as this may affect a good number of people but in the long run, I'm glad so I won't be at a higher risk of identity theft.
 

jakebrosy

macrumors regular
Aug 16, 2011
176
314
Immunology for gawd's sake! Without knowing what to delete NOW, a restore of an old device onto a new one infects a new host.

I'd like to know what apps are affected so I can delete them and don't mistakenly migrate them to a new device. Granted, old devices are compromised, but I could at least not spread the damn disease.
 

MrGuder

macrumors 68040
Nov 30, 2012
3,026
2,012
Isn't our iPhones made in China too? Hmmm

It's nice to see Apple being proactive and looking out for our best interest, Tim Cook is serious about our privacy.
 
  • Like
Reactions: H3boy

jettredmont

macrumors 68030
Jul 25, 2002
2,731
328
These apps should be banned, but doesn't sound too serious. Google likely collects more data ;)

Google does collect more (albeit different) data. The thing with Google is that it is more accountable for its actions - if it was getting around private API usage bans by obfuscating its calls to them there would be hell to pay and Google would lose major face. If it were selling that information or using it against its terms of service "agreement", it could be sued. With this Youmi ad network, Youmi has absolutely no stake in the game and so has been actively pushing to get around app store restrictions apparently for years and with some success.

The central point is given by the SourceDNA release: developers are 100% responsible for whatever any SDK they use in their app does. If you are going to include shady ad network code in your app, expect to be blacklisted as shady yourself.

The same goes for web ad networks, of course, because the same perverse incentives apply there (which is why Google owning DoubleClick is actually better than DoubleClick existing on its own).
 
  • Like
Reactions: JamesPDX

MH01

Suspended
Feb 11, 2008
12,107
9,297
Apple has joined he big boys club in having to deal with dodgy apps.

I suspect these stories will be more and more common.

Due to unpopularity , Windows phone is looking the safest these days . Good chance the app your looking for will not be infected as it does not exist :p
 

Rigby

macrumors 603
Aug 5, 2008
6,242
10,193
San Jose, CA
How did these get approved in the first place? It seems something like this should be pretty easy to detect by Apple.
It isn't. In Objective C it's possible to construct API calls at runtime, so there's no easy way to discover them using static code analysis. And you can implement various methods to try and avoid making the calls while the app is in the review process.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.