3rd-party ad APIs from China illegally collected data from hundreds of App Store titles

Posted:
in iPhone edited October 2015
Apple has removed numerous apps from the App Store following the discovery that a third-party advertising SDK -- developed by Chinese firm Youmi -- was using private APIs to record user information in violation of official App Store guidelines.




The APIs found in affected apps were gathering data like email addresses and device identifiers, and funneling them to a Youmi-run server, Apple confirmed to code analytics firm SourceDNA. Any future apps employing the SDK will be rejected outright.

"We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly," Apple added.

SourceDNA's binary analysis discovered 256 apps based on the SDK, which have cumulatively been downloaded about a million times. The firm noted that on top of serial numbers and email addresses, the APIs were gathering lists of installed apps.

Youmi's data collection efforts appear to extend back almost two years, and may have become more brazen over time, with new tricks to hide activities and circumvent Apple security methods.

The App Store's reputation for being a safe haven has come under serious fire in the past month, with incidents like vulnerabilities in content blockers and the YiSpecter and XcodeGhost malware infections undermining confidence.
«13

Comments

  • Reply 1 of 45
    It's time for devs to stop trusting Chinese code. Apple also needs to start revamping the review process, and changing it randomly and frequently. This is only going to get worse as the money continues to migrate to iOS. There's just not much value in Bamadou Funkautu's information from Nambia.
  • Reply 2 of 45
    What apps are we talking about. Would be nice to know.
  • Reply 3 of 45
    So, like .002% (256), apps out of 1.7 billion apps .. makes headlines..

    a

    freaking

    amazing.

    And Apple already removed the apps.
  • Reply 4 of 45
    Hopefully Apple is channeling the great Jason Nesmith: Never surrender! Never Give up!

    I imagine there are Galaxy Quest posters at Apple HQ next to the "Hang in There Baby" kitty posters.
  • Reply 5 of 45
    The question here is, does the app store in those countries put their apps through the same rigorous validation as those in the U.S. If that answer is NO, then, in my opinion, Apple needs to ban those countries that have shown an all-in-out disrespect for the reviewal process and those users who are using those apps.

    Better yet, only allow apps that are made in the U.S. be accessed by U.S. customers.
  • Reply 6 of 45
    I call bullcrap on the last paragraph (I'd quote it but it takes roughly 3 years to quote and cut out most of the article on the iPhone).
    There were no vulnerabilities in content blockers. Anything that requires you to install a root cert on your device that is not an enterprise-installed app should automatically draw red flags. In the case of the content blockers, they were proxying traffic from the device to their servers to do deep packet inspection then rip out ads. Apple pulled it because of security concern.

    The actual vulnerabilities have all been from China. At least from what I've read.
  • Reply 7 of 45
    lkrupplkrupp Posts: 10,557member
    Quote:
    Originally Posted by AppleInsider View Post



    The App Store's reputation for being a safe haven has come under serious fire in the past month, with incidents like vulnerabilities in content blockers and the YiSpecter and XcodeGhost malware infections undermining confidence.

     

    APPLE’S APP STORE IS UNSAFE! yell the headlines. No context or comparison to other app stores.

  • Reply 8 of 45
    gatorguygatorguy Posts: 24,178member
    lkrupp wrote: »
    APPLE’S APP STORE IS UNSAFE! yell the headlines. No context or comparison to other app stores.

    Why would comparing it to some other appstore matter? Besides that IMHO many of the articles about other appstores are "such-and-such is unsafe" too.
  • Reply 9 of 45
    lkrupp wrote: »
    APPLE’S APP STORE IS UNSAFE! yell the headlines. No context or comparison to other app stores.

    It doesn't matter about other stores. What matters is that Apple's security procedures are both taking a public image hit and in some cases are showing themselves to be inadequate.
  • Reply 10 of 45
    "Illegal"? No. Against Apple's rules? Yes.
  • Reply 11 of 45
    Quote:

    Originally Posted by Rmb0037 View Post



    I call bullcrap on the last paragraph (I'd quote it but it takes roughly 3 years to quote and cut out most of the article on the iPhone).

    There were no vulnerabilities in content blockers. Anything that requires you to install a root cert on your device that is not an enterprise-installed app should automatically draw red flags. In the case of the content blockers, they were proxying traffic from the device to their servers to do deep packet inspection then rip out ads. Apple pulled it because of security concern.



    The actual vulnerabilities have all been from China. At least from what I've read.



    And yet Apple approved the apps in question.

  • Reply 12 of 45
    Quote:
    Originally Posted by dan uff View Post



    The question here is, does the app store in those countries put their apps through the same rigorous validation as those in the U.S.

     

    Rigorous validation? It's more moral (porn) and commercial validation. Apple only sees compiled code. As people have shown multiple times, it's trivial to get something by them.

  • Reply 13 of 45

    A good reason for apple to run it's own iAd system is to prevent the lure of untrustworthy 3rd party tools.  There is much value in Apple's customer information. 

  • Reply 14 of 45
    Quote:

    Originally Posted by JBlongz View Post

     

    A good reason for apple to run it's own iAd system is to prevent the lure of untrustworthy 3rd party tools.  There is much value in Apple's customer information. 




    As history has shown, it's rarely good to centralize everything into one entity.

  • Reply 15 of 45
    Quote:

    Originally Posted by Adrayven View Post



    So, like .002% (256), apps out of 1.7 billion apps .. makes headlines..



    a



    freaking



    amazing.



    And Apple already removed the apps.



     its 1.7 million apps not billion

  • Reply 16 of 45
    eightzeroeightzero Posts: 3,056member
    Quote:

    Originally Posted by SpamSandwich View Post



    "Illegal"? No. Against Apple's rules? Yes.

    This was my first thought. There are broad US statutes involving unauthorized access to computers; other address privacy statements and uses of personal data. Not sure that is what this article is about.

  • Reply 17 of 45
    Quote:
    Originally Posted by Gatorguy View Post

     
    Quote:
    Originally Posted by lkrupp View Post



    APPLE’S APP STORE IS UNSAFE! yell the headlines. No context or comparison to other app stores.




    Why would comparing it to some other appstore matter? Besides that IMHO many of the articles about other appstores are "such-and-such is unsafe" too.

     

     

    Quote:
    Originally Posted by TheWhiteFalcon View Post

     
    Quote:
    Originally Posted by lkrupp View Post



    APPLE’S APP STORE IS UNSAFE! yell the headlines. No context or comparison to other app stores.




    It doesn't matter about other stores. What matters is that Apple's security procedures are both taking a public image hit and in some cases are showing themselves to be inadequate.

     

    ^^^This. You guys both get it.

     

    The news should be reporting on the news at hand. Injecting the competition smacks of weak sauce.

     

    There is plenty of opinion and context and comparison available. I am sure that forthcoming opinion pieces will not disappoint. 

     

    Sometimes it's nice to just get the facts. 

     

    As far as the last paragraph regarding the Apple App Store goes: "undermining confidence". I am not sure about that. I might re-phrase that as "increasing awareness" regarding security on Apples App Store. But that would be my own spin on it.

  • Reply 18 of 45

    As history has shown, it's rarely good to centralize everything into one entity.

    uhh Google? or does that wisdom only apply when talking about Apple?
  • Reply 19 of 45
    gatorguygatorguy Posts: 24,178member
    nolamacguy wrote: »
    uhh Google?
    Good thing there's Microsoft, Apple, DDG, Yahoo, and a whole lotta others then playing in the exact same space right along side them huh? Maybe not so much Apple I suppose as they keep stuff to themselves in general, but there's many, many techs with search engines, various services and advertising running on multiple platforms.
  • Reply 20 of 45
    Quote:

    Originally Posted by NolaMacGuy View Post





    uhh Google? or does that wisdom only apply when talking about Apple?



    False narrative; I didn't mention Google. This isn't limited to the tech field either.

Sign In or Register to comment.