Apple has quickly removed more than 250 apps that accessed a user’s personal data without permission.
Mobile security firm SourceDNA first found that the apps that were using an SDK from Chinese advertising company Youmi. The apps received more than 1 million downloads in total.
More than likely, according to a blog post, the app developers were unaware that the SDK accessed the user’s email address, device identifiers, and other data. The SDK was able to successfully hide the fact that it accessed the information and routed it to Youmi’s servers.
Here’s Apple’s complete statement about the issue:
We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server.
This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.
There was no official list of affected apps, and only one was specifically mentioned by SourceDNA – the official McDonald’s app for Chinese speakers. The large majority, if not all of the apps, were only available to download in China.
It’s definitely disappointing that Apple’s rigorous, and often criticized, app review process didn’t catch the offending SDK. Hopefully Apple can learn from the mistake.
For other recent news, see: Waze gets an update, but no 3D Touch or Apple Watch love, The AppAdvice tech week in review: Apple gets serious about iTunes, and Sprint is throttling all customers who use 23 GB per month.