A security firm claims to have discovered 256 apps that illicitly gather user email addresses, lists of installed apps, serial numbers and other identifying information.
Apple may be obsessed with user privacy, but these apps — which violate App Store policy and have been downloaded by an estimated 1 million people — somehow got by Cupertino’s gatekeepers.
“This is the first time we’ve found apps live in the App Store that are violating user privacy by pulling data from private APIs,” said Nate Lawson, founder of security analytics startup SourceDNA. “This is actually an obfuscated toolkit for extracting as much private information as it can. It’s definitely the kind of stuff that Apple should have caught.”
The majority, if not all, of the apps come from China, and the list includes the official McDonald’s app for Chinese speakers. SourceDNA has not released the rest of the list, although the security firm says it provided the names to Apple.
The news follows last month’s XcodeGhost incident, in which hundreds of iOS apps were found to include malware from a counterfeit version of Xcode, the platform used by developers to build apps.
Afterward, Apple tried to avoid a repeat of the situation by making it quicker for Chinese developers to download the official version of Xcode from Apple’s servers.