Several apps on the iOS App Store have been found to be using private APIs to collect device and user data thanks to a third-party advertising SDK. Apps that utilize the Youmi SDK have been found to be collecting data on a device's installed apps, the platform serial number, peripheral serial numbers, and the user's Apple ID. It looks like 256 apps were found to be doing this, though according to SourceDNA, who spotted the issue, they likely didn't know what was happening.
We found 256 apps (est. total of 1 million downloads) that have one of the versions of Youmi that violates user privacy. Most of the developers are located in China. We believe the developers of these apps aren't aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi's server, not the app's. We recommend developers stop using this SDK until this code is removed.
Apple later confirmed the issue, offering the following statement:
We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.
You can read the full report at the link below.