Last October, it was observed that the innocuous flashlight app “Super-Bright LED Flashlight” revealed more than just your immediate surroundings, but it your personal phone’s personal data too. Now, one year later, researchers from the security analytics startup SourceDNA publish a list containing more than 250 such apps, questioning the legitimacy of Apple’s screening process.
The 256 apps on file violate Apple’s App Store privacy policy forbidding the collection of email addresses, serial numbers, account names, passwords, and geo-tags; what’s more, the operation occurs without the developer’s awareness (and consent) because it’s caused by software development kit used to roll out the ads, not by the apps themselves.
“This is the first time we've found apps live in the App Store that are violating user privacy by pulling data from private APIs,” Nate Lawson, the founder of SourceDNA, explains to ArsTechnica: “This is actually an obfuscated toolkit for extracting as much private information as it can. It's definitely the kind of stuff that Apple should have caught.”
The culprit identified was Youmi, a mobile advertising provider that used private APIs to gather private information before farming it over to its company server. Apple responded by removing from the App Store all apps using Youmi’s SDK until their developers could submit updated versions using a different SDK.
Many of the affected apps are in the Chinese languages, including McDonald’s official Chinese language restaurant app. Outside of that particular app, SourceDNA did not publish the full list, opting instead to privately inform Apple. Lawson did take care to point out that Youmi deliberately kept these functions secret from developers, who merely installed the SDK simply to show ads.
Nonetheless, the data gathered by the contaminated apps was summed up in four major classes:
1. A listing of all the apps installed on the device
2. The serial number of the iPhone and iPad
3. Email addresses associated with the user’s Apple ID
4. A list of hardware components and the serial numbers of these components
Note that five weeks earlier, a separate security firm called Palo Alto Networks observed a similar effect, this time pertaining to private data being siphoned by XcodeGhost, an infected, repackaged version of the iOS and OS X development Xcode. But unlike Youmi’s SDK, XcodeGhost did not use a private API to carry out malicious attacks, instead relying on opening URLs specified by a control server.
While this incident ultimately raises questions about the efficacy of Apple’s app vetting process, let us not forget that the terms of agreements of many popular apps such as Facebook’s very own messenger, essentially sanction the same sort of behavior. The difference is a matter of willing versus unwilling informing the public via the terms of agreements.
Source: Ars Technica
Advertisement
Learn more about Electronic Products Magazine
