3rd-party ad APIs from China illegally collected data from hundreds of App Store titles
Apple has removed numerous apps from the App Store following the discovery that a third-party advertising SDK — developed by Chinese firm Youmi — was using private APIs to record user information in violation of official App Store guidelines.
The APIs found in affected apps were gathering data like email addresses and device identifiers, and funneling them to a Youmi-run server, Apple confirmed to code analytics firm SourceDNA. Any future apps employing the SDK will be rejected outright.
"We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly," Apple added.
SourceDNA's binary analysis discovered 256 apps based on the SDK, which have cumulatively been downloaded about a million times. The firm noted that on top of serial numbers and email addresses, the APIs were gathering lists of installed apps.
Youmi's data collection efforts appear to extend back almost two years, and may have become more brazen over time, with new tricks to hide activities and circumvent Apple security methods.