The 256 apps researchers most recently uncovered exposes a critical weakness in Apple’s vetting process, an intensive process Apple takes extremely serious before admitting apps to their store. They also invade the privacy of over at least some one million estimated individuals who are believed to have downloaded affected apps. The data siphoning was so sneaky that even individual developers of affected apps likely had no idea personal information was being extracted from their app, simply because the personal information was sent solely to the creator of the software development kit used to deliver ads.
“This is the first time we’ve found apps live in the App Store that are violating user privacy by pulling data from private APIs,” said Nate Lawson, the founder of security analytics startup SourceDNA, referring to the application programming interfaces built into iOS. “This is actually an obfuscated toolkit for extracting as much private information as it can. It’s definitely the kind of stuff that Apple should have caught.”
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server,” Apple said in a statement published shortly after researchers findings were live. “This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
The latest discovery comes only five weeks after another security firm reported dozens of iOS apps to be collecting personal information, including the OS version, time zone, and the specific name of the app that was collecting users personal information. Lawson said that none of the apps in question required access to private frameworks and that normal ad libraries routinely do the same thing. All the information stolen by the XcodeGhost-affected apps were allowed in the app store by Apple themselves and didn’t involve any special programming tactics.
Apps published through rogue XcodeGhost frameworks did have the ability to open URLs sent from by a malicious server, and could have been abused to carry out malicious actions against victims iPhone. Once again, no private API was involved in the opening of URLs on the device and URLs can already be executed through legitimate apps. Such as when you open Yelp in Safari, it will redirect you to the Yelp app. Apple began removing the apps because the actions were being executed by a third-party command-and-control server, not Apple nor legitimate apps.
The latest iOS app discovery comes just one week after Apple began removing apps that had the ability to spy on victims encrypted connections. It worked by installing a root certificate that had the ability to bypass the transport layer security (TLS) protections set in place by other apps, really hampering Apple’s app vetting process.
The 256 apps in question are accessing information on the device that is explicitly forbidden in Apple’s App Store policy. A majority of apps using the invasive advertising toolkit, Youmi, are primarily Chinese-based.
Security researchers were able to classify four major portions of information gathered by the rogue apps, including:
- A list of all the apps installed on the smartphone
- The platform serial number of older iOS devices
- A list of hardware components running the device
- The email address associated with victim’s AppeID
The consistent gathering of information has largely taken place over the past year or so. It started out quite harmless, only compiling a list of apps installed on the device, but began extending far to fast. Over time, the data gathering got increasingly more invasive until it reached its most current version, compiling hardware details, serial numbers and even e-mail addresses.
A list of affected apps was not publicly announced but was instead privately disclosed to Apple representatives. It wouldn’t be surprising if Apple removed the apps in question or required developers to publish recent versions of their app not using the affected advertising toolkit.
Apple’s ongoing saga to keep their app store safe continues as abusive and invasive apps continue to make their way onto the market.