Over 250 apps removed from App Store over private API use

By Joseph Keller
published

Several apps on the iOS App Store have been found to be using private APIs to collect device and user data thanks to a third-party advertising SDK. Apps that utilize the Youmi SDK have been found to be collecting data on a device's installed apps, the platform serial number, peripheral serial numbers, and the user's Apple ID. It looks like 256 apps were found to be doing this, though according to SourceDNA, who spotted the issue, they likely didn't know what was happening.

We found 256 apps (est. total of 1 million downloads) that have one of the versions of Youmi that violates user privacy. Most of the developers are located in China. We believe the developers of these apps aren't aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi's server, not the app's. We recommend developers stop using this SDK until this code is removed.

Apple later confirmed the issue, offering the following statement:

We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.

You can read the full report at the link below.

Source: SourceDNA

Joseph Keller
Joseph Keller

Joseph Keller is the former Editor in Chief of iMore. An Apple user for almost 20 years, he spends his time learning the ins and outs of iOS and macOS, always finding ways of getting the most out of his iPhone, iPad, Apple Watch, and Mac.

14 Comments
  • Is there a list somewhere?
  • I would love to see the list also Sent from the iMore App
  • Here, here! Apple's response to this problem is lame and so is this article. Give us a list of the offending apps so we can remove them. Anything less is useless fear mongering!
  • Love to have APPLE provide a button to DE-INSTALL every offending app which we may have downloaded - that goes for Virus or Trojan infections as well, but then again that might make too much logical sense.
  • Good stuff. This is why the iPhone will always be my default choice. ________________ Sent from the iMore App
  • Never should have been there to begin with. Cleaning up after the fact doesnt make your private info safe.
  • A list would be great! Sent from the iMore App
  • The developers are apparently clueless. They're victims too. They can fix their apps and get them back up and running in the App Store. Providing a list will only hurt the developers. No need for that,
  • Providing a list will help us know if we've installed the apps on our phones.
  • Yeah, but if you already have one of the apps, they may already have your info. However, a list would allow us to delete the app with the chance it never sent the info. Sent from the iMore App
  • So what happens to the people who already have one (or more) of the 250 + affected apps on their iPhones?
  • Nothing. They'll already have your information and you'll be continuously giving them info if you use their application repeatedly Posted via the iMore App for Android from my iPhone 6s with a cracked screen by 3D Touching too much
  • WHAT IS THE LIST?? Sent from the iMore App
  • Hello everyone, my first post here.
    Why did Apple remove the "open apple"? Worse yet, it was replaced with an omg (a sin unto God by some people). Ugh is more like it. Me I'm more of a "wtf" as an expression of "feelings" guy. I can hear the arguments now. It's certainly more direct vs you can't say that on TV. I would admit that drawing wtf characters would be a challenge but then again there's the challenge.
    It, the OA, gave the USER CONTROL of the keyboard. Right now I'd just be happy to get off the "critical error " and get my account back after the hack, you know, wtf!