Apple allowed hundreds of apps into the App Store even though they were scraping personal information directly in violation of Apple's developer guidelines. The company has since pulled the apps and banned the compromised third party advertising SDK responsible for the snooping, but it shows Apple's walled garden can't keep the bad guys out with 100 percent accuracy.
The story broke after security research firm SourceDNA published a report detailing, "hundreds of apps in the App Store that extract personally identifiable user information via private APIs that Apple has forbidden them from calling."
The short version is that Chinese advertising firm Youmi had an SDK that developers—mostly in China—could use to embed advertising into their app. Youmi spent the last couple of years learning how obfuscate calls to Apple APIs that are theoretically tightly controlled. By obfuscating those calls, Youmi was able to get device tracking info and user email addresses.
Doing so is against Apple's developer guidelines, which was why Youmi was using trickery to disguise its activities. Despite that, however, the apps were allowed onto the App Store where they were eventually identified by SourceDNA.
In addition, SourceDNA said there could be more such apps: "Given how simple this obfuscation is and how long the apps have been available that have it, we’re concerned other published apps may be using different but related approaches to hide their malicious behavior. We’re continuing to add new features to our engine to discover anomalous behavior in app code and find out if this is the case."
For its part, Apple removed the apps and released the following statement:
We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.
As Jeff Gamet and I discussed on TMO's Daily Observations Monday morning, there is much that goes into managing a walled garden. No company could have a perfect record for keeping out malicious apps, but this is the second major breach in Apple's vetting process in the last two months, the first involving a forged version of Xcode that inserted code into apps that stole personal information. Apple was quick to pull those tainted apps, too, but only after they were identified by third party researchers.
The troubling bit to me is this: SourceDNA labeled the obfuscation as "simple" (you can read about it in the full report), yet it took a third party to identify the problem. This is the sort of thing we count on Apple to protect us from.
One of the many benefits we get in trading total app freedom for a vetted walled garden is security and the knowledge that apps we download from the App Store are safe and secure. Apple is the company that set that bar, and it's up to Apple to meet it. As such, I hope this is the last time we have to talk about this kind of problem.