3rd-party ad APIs from China illegally collected data from hundreds of App Store titles

The APIs found in affected apps were gathering data like email addresses and device identifiers, and funneling them to a Youmi-run server, Apple confirmed to code analytics firm SourceDNA. Any future apps employing the SDK will be rejected outright.

"We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly," Apple added.

SourceDNA's binary analysis discovered 256 apps based on the SDK, which have cumulatively been downloaded about a million times. The firm noted that on top of serial numbers and email addresses, the APIs were gathering lists of installed apps.

Youmi's data collection efforts appear to extend back almost two years, and may have become more brazen over time, with new tricks to hide activities and circumvent Apple security methods.

The App Store's reputation for being a safe haven has come under serious fire in the past month, with incidents like vulnerabilities in content blockers and the YiSpecter and XcodeGhost malware infections undermining confidence.