Apple nixes over 250 apps that have been snooping on users

Apple has begun removing applications from the App Store that collect personal user data. An analytics company named SourceDNA collected the information from such malicious apps and brought to Apple’s attention. Cupertino has strict privacy guidelines for its platform, and the apps that have messed with the rules are now being kicked out as a result. 
SourceDNA employed its new developer tool dubbed Searchlight to track the apps that have been secretly collecting user data. It found a total of 256 apps that have been up to something fishy; such apps have received approximately 1 million total downloads. Interestingly, most of the affected app developers are based in China, and have been using a certain version of the Youmi Software Development Kit (SDK) for their apps. Many of these developers had no clue regarding the threat as the SDK was delivered to them in an unclear binary format.
The information the apps collected included the number apps installed on the phone, the platform serial number of the device, the e-mail ID of users, and the hardware configuration of the phone itself. This information was reportedly collected by private APIs, which was then sent through Youmi servers based in China. The exact list of affected apps has not been publicized, but reports say it includes some big names, such as McDonald’s localized app in China.
Developers who want to check their apps for the threat can also check it through SourceDNA’s Searchlight analytics tool. This is the second recent revelation about data privacy in the App Store; last week, an iOS malware attack named XcodeGhost made the rounds. The malware was born out of Apple’s in-house tools the company uses to develop apps for both iOS and OS X.
Apple has released a statement saying the following:

“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

So far, this attack seems like one of a kind, as Apple has strict app approval guidelines, and this is the first time so many apps have been successful in bypassing the review process — and it will probably serve as a wakeup call for Apple to tighten the latter up as a result.

By Zara Ali 

http://www.extremetech.com