3rd-party ad APIs from China illegally collected data from hundreds of App Store titles
Apple has removed numerous apps from the App Store following the discovery that a third-party advertising SDK -- developed by Chinese firm Youmi -- was using private APIs to record user information in violation of official App Store guidelines.
The APIs found in affected apps were gathering data like email addresses and device identifiers, and funneling them to a Youmi-run server, Apple confirmed to code analytics firm SourceDNA. Any future apps employing the SDK will be rejected outright.
"We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly," Apple added.
SourceDNA's binary analysis discovered 256 apps based on the SDK, which have cumulatively been downloaded about a million times. The firm noted that on top of serial numbers and email addresses, the APIs were gathering lists of installed apps.
Youmi's data collection efforts appear to extend back almost two years, and may have become more brazen over time, with new tricks to hide activities and circumvent Apple security methods.
The App Store's reputation for being a safe haven has come under serious fire in the past month, with incidents like vulnerabilities in content blockers and the YiSpecter and XcodeGhost malware infections undermining confidence.
The APIs found in affected apps were gathering data like email addresses and device identifiers, and funneling them to a Youmi-run server, Apple confirmed to code analytics firm SourceDNA. Any future apps employing the SDK will be rejected outright.
"We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly," Apple added.
SourceDNA's binary analysis discovered 256 apps based on the SDK, which have cumulatively been downloaded about a million times. The firm noted that on top of serial numbers and email addresses, the APIs were gathering lists of installed apps.
Youmi's data collection efforts appear to extend back almost two years, and may have become more brazen over time, with new tricks to hide activities and circumvent Apple security methods.
The App Store's reputation for being a safe haven has come under serious fire in the past month, with incidents like vulnerabilities in content blockers and the YiSpecter and XcodeGhost malware infections undermining confidence.
Comments
a
freaking
amazing.
And Apple already removed the apps.
I imagine there are Galaxy Quest posters at Apple HQ next to the "Hang in There Baby" kitty posters.
Better yet, only allow apps that are made in the U.S. be accessed by U.S. customers.
There were no vulnerabilities in content blockers. Anything that requires you to install a root cert on your device that is not an enterprise-installed app should automatically draw red flags. In the case of the content blockers, they were proxying traffic from the device to their servers to do deep packet inspection then rip out ads. Apple pulled it because of security concern.
The actual vulnerabilities have all been from China. At least from what I've read.
The App Store's reputation for being a safe haven has come under serious fire in the past month, with incidents like vulnerabilities in content blockers and the YiSpecter and XcodeGhost malware infections undermining confidence.
APPLE’S APP STORE IS UNSAFE! yell the headlines. No context or comparison to other app stores.
Why would comparing it to some other appstore matter? Besides that IMHO many of the articles about other appstores are "such-and-such is unsafe" too.
It doesn't matter about other stores. What matters is that Apple's security procedures are both taking a public image hit and in some cases are showing themselves to be inadequate.
I call bullcrap on the last paragraph (I'd quote it but it takes roughly 3 years to quote and cut out most of the article on the iPhone).
There were no vulnerabilities in content blockers. Anything that requires you to install a root cert on your device that is not an enterprise-installed app should automatically draw red flags. In the case of the content blockers, they were proxying traffic from the device to their servers to do deep packet inspection then rip out ads. Apple pulled it because of security concern.
The actual vulnerabilities have all been from China. At least from what I've read.
And yet Apple approved the apps in question.
The question here is, does the app store in those countries put their apps through the same rigorous validation as those in the U.S.
Rigorous validation? It's more moral (porn) and commercial validation. Apple only sees compiled code. As people have shown multiple times, it's trivial to get something by them.
A good reason for apple to run it's own iAd system is to prevent the lure of untrustworthy 3rd party tools. There is much value in Apple's customer information.
A good reason for apple to run it's own iAd system is to prevent the lure of untrustworthy 3rd party tools. There is much value in Apple's customer information.
As history has shown, it's rarely good to centralize everything into one entity.
So, like .002% (256), apps out of 1.7 billion apps .. makes headlines..
a
freaking
amazing.
And Apple already removed the apps.
its 1.7 million apps not billion
"Illegal"? No. Against Apple's rules? Yes.
This was my first thought. There are broad US statutes involving unauthorized access to computers; other address privacy statements and uses of personal data. Not sure that is what this article is about.
APPLE’S APP STORE IS UNSAFE! yell the headlines. No context or comparison to other app stores.
Why would comparing it to some other appstore matter? Besides that IMHO many of the articles about other appstores are "such-and-such is unsafe" too.
APPLE’S APP STORE IS UNSAFE! yell the headlines. No context or comparison to other app stores.
It doesn't matter about other stores. What matters is that Apple's security procedures are both taking a public image hit and in some cases are showing themselves to be inadequate.
^^^This. You guys both get it.
The news should be reporting on the news at hand. Injecting the competition smacks of weak sauce.
There is plenty of opinion and context and comparison available. I am sure that forthcoming opinion pieces will not disappoint.
Sometimes it's nice to just get the facts.
As far as the last paragraph regarding the Apple App Store goes: "undermining confidence". I am not sure about that. I might re-phrase that as "increasing awareness" regarding security on Apples App Store. But that would be my own spin on it.
uhh Google? or does that wisdom only apply when talking about Apple?
uhh Google? or does that wisdom only apply when talking about Apple?
False narrative; I didn't mention Google. This isn't limited to the tech field either.