14 DAY TRIAL // After the security blunder most of its Mac App Store apps were a part of the last few days, Trend Micro published an apologetic public letter with findings resulting from an internal investigation.
According to reports from the Malware Bytes Labs coupled with multiple other ones from a large list of security researchers published two days ago, Trend Micro's Dr. Antivirus, Dr. Cleaner, and Dr. Unarchiver macOS apps were proven to collect and send sensitive users data to remote Internet servers.
After the news reached Apple's ears, all three apps were removed from the Mac App Store, together with Dr. Cleaner Pro, Dr. Battery, and Duplicate Finder, a few other apps made by the same company.
The problem was that besides Dr. Antivirus and Dr. Cleaner, an anti-malware and a disk cleaning application, none of the other apps (e.g., an archive expander and a battery monitoring tool) could have any claim of needing to collect any data from the hard disk of the Mac they were installed on.
Moreover, an even bigger problem was that users were not asked at any moment if they agree to have their private data such as browsing history and lists of installed apps.
Trend Micro blames shared libraries and codebase for accidental browsing history collection
In their public apology letter following this incident, Trend Micro says that users could have read the apps' EULA on its support site, where they could have found out exactly what type of data their apps collected and sent to remote Trend Micro servers.
The EULA web page for the Dr. Cleaner app clearly states that the Trend Micro apps were collecting the user's browser history, and a host of system information data such as physical memory, system uptime, and UUID.
There is no mention of their apps collecting and exfiltrating a complete list of all the apps installed and downloaded, or of a list of all running processes as found out by Malware Bytes Labs in their research.
According to Trend Micro, the culprits behind this mishap are not their developers but the use of shared libraries within all their apps and the browser history feature being added to all of them.
Trend Micro finished their letter stating that they removed the browsing history collection features from all the apps outed from Apple's Mac App Store, deleted all the logs they gathered on their US-based AWS servers, and made sure that their security-focused and non-security apps will use different codebases from now on.
Apple just announced prior to this incident, on August 31, that the App Store Guidelines were updated to ask all app developers to include a privacy policy with all their product releases and updates to aid in the review process starting with October 3.