Apple banned over 250 apps from the App Store that were using software to access users’ personal information. These apps managed to get through the App Store approval process with private APIs, which are against the rules. Apple took action shortly after news broke this morning that a security firm discovered these apps.
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server,” Apple told The Verge.
The spokesperson said all of the apps have been removed. The company is working with developers to ensure they can resubmit apps without these private APIs so to comply with Apple’s rules.
In addition to the email addresses and device identifiers (read: serial numbers) Apple mentioned, Youmi’s SDK also let developers know the other apps users downloaded to their phones — again, without the users’ permission. Thankfully, the SDK didn’t collect any particularly sensitive information, though email addresses are still compromising.
Downloads of these apps tallied up to one million while they were in the App Store and were initially discovered by SourceDNA. This marks the first time the firm has ever discovered apps already in the App Store that used private APIs.
It’s unknown which apps specifically Apple removed from the App Store. Even more curious is how Apple let hundreds of apps slip through its walled garden, which is in place for security and quality control purposes. Just last month Apple somehow let XCodeGhost through into the App Store, which fueled the first major security debacle on the platform.
If Apple started to loosen its grip on App Store security, perhaps it needs to tighten things up again to prevent these rule-breakers from sneaking in again.
