Apple said it will remove 256 misbehaving apps from its App Store that were using private APIs to pull personal and device information that would allow a user to be tracked.
SourceDNA, an analytics company that specializes in studying the iOS and Android mobile app stores, privately disclosed to Apple a list of the offending apps. It discovered the behavior during a scan for private API usage, the company said in a blog post published Sunday.
The problem is twofold: first, users’ privacy is at risk by the apps because device behavior is being recorded and sent to the developers of a Chinese advertising software development kit called Youmi; second, Apple’s rigorous App Store security checks have been bypassed.
“The danger is in the general technique,” said Nate Lawson, founder of SourceDNA. Lawson said that SDK’s behavior is obfuscated, even to the respective apps’ developers, and managing to slip Apple’s code review somehow. “This is the first time we’ve found code on the App Store that uses private APIs that got past Apple’s code review. There could be other apps out there, we just don’t know yet, that could be using this type of obfuscation to obscure other malicious behavior. It’s troubling this got past Apple’s review process.”
SourceDNA determined that the apps built with the Youmi SDK were able to penetrate an iOS device and list installed apps, retrieve the platform serial number as well as serial numbers for any attached peripherals, in addition to getting the user’s Apple ID email address.
“It’s pulling much more intrusive information than other advertising SDKs,” Lawson said. “Not only personally identifiable stuff like the email associated with an Apple ID, but device hardware identifiers. Those follow the device even if you reinstall the OS or wipe apps.
“We don’t know why Apple didn’t catch it,” Lawson said. “We can surmise it’s because of the obfuscation. We can assume Apple catches hundreds of apps all the time; they just don’t make it to the App Store. These did.”
SourceDNA published a statement provided by Apple:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
The 256 apps, SourceDNA said, have been downloaded more than one million times. The firm said that 142 older versions of the SDK do not call private APIs, but more recently, the developers have been obfuscating a certain call that was not flagged by Apple’s code review.
“Once they were able to get this through App Review, they probably became more confident they weren’t being detected and added the above behaviors in order. They also use the same obfuscation to hide calls to retrieve the advertising ID, which is allowable for tracking ad clicks, but they may be using it for other purposes since they went to the trouble to obfuscate this,” SourceDNA said. “The latest version of the Youmi SDK (v5.3.0), published a month ago, still gathers all the above information.”
Since the behavior is obfuscated, app developers that use the Youmi SDK to install ads likely are not aware of the malicious behavior, SourceDNA said.
“Most of the developers are located in China. We believe the developers of these apps aren’t aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi’s server, not the app’s,” SourceDNA said. “We recommend developers stop using this SDK until this code is removed.”
This is the second disclosure in two weeks regarding the abuse of private APIs in the Apple iOS ecosystem. YiSpecter, which was disclosed Oct. 5 by researchers at Palo Alto Networks, combined the use of certs issued under Apple’s iOS Developer Enterprise Program with the illicit use of private APIs to move adware onto non-jailbroken devices in China and Taiwan primarily.
YiSpecter’s behavior was a bit more malicious. YiSpecter opens a backdoor to a set of command and control servers and sends back device data and has the ability to install and launch new Trojanized apps—some that survive deletion—hijack other apps in order to display ads, change default search setting on Safari, change bookmarks and open webpages in the mobile browser. Its job is largely to spread pornographic adware.