14 DAY TRIAL // Private research carried out by SourceDNA has alerted Apple of 256 iOS apps listed on its App Store that collected personal user information via masked calls to a private API, and then sent the data to be stored on servers in China.
Since its beginning, Apple has declined to list on its App Store iOS apps that employ private APIs to collect and then store personally identifiable information on Apple customers.
This is specifically mentioned in the company's security and privacy policy, but this didn't stop developers from creating such apps, which most times were distributed via unofficial sources, with a lesser degree of success.
Youmi SDK used to secretly collect data on Apple users
According to SourceDNA's research, developers of the Youmi advertising SDK had been illegally collecting information on users, which went undetected by Apple's review process.
While older versions of the SDK complied with Apple's guidelines, this changed a while back, when Youmi released a new SDK version that was making masked API calls and collecting information like the user's AppleID (email), the platform's serial number (where possible), serial numbers for device peripherals, and a list of apps installed on each device.
As SourceDNA states, this change occurred around the release of iOS 8, when Apple started preventing private APIs from accessing a device's serial number. A theory exists that the developers of the Youmi SDK were collecting peripheral serial numbers to use instead of the device's main ID, mainly as an alternative to Apple's default device advertising ID.
Apple user data was being sent to a server in China
Developers that created apps using the Youmi SDK were unaware of the problem, since the SDK was delivered in binary form, and most of them didn't know that the SDK was making hidden calls, collecting data on their users, and then sending to Youmi's Chinese servers.
Soon after the research was published, Apple took down all infringing apps, which totaled around 1 million downloads, and issued the following statement:
"We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly."