Apple App Store Tightens Security
Friday, October 23, 2015 @ 09:10 AM gHale
Apple’s App Store has always been the model of tough, tight security. But there has been another move to fight through the Store’s defenses as Youmi, a China-based mobile advertising provider that uses private APIs to gather user and device information.
Apple prohibits app developers to make their apps call private APIs, and this ends up spotted when the app goes in for App Store approval.
It appears, however, over 250 apps with an estimated 1 million downloads have been built on the software development kit (SDK), said researchers at security analytics company SourceDNA, who informed Apple of the situation.
“The older versions [of the SDK] do not call private APIs, so the 142 apps that have them are ok. But almost two years ago, we believe the Youmi developers began experimenting with obfuscating a call to get the frontmost app name,” SourceDNA researchers said in post.
Once they were able to get this through App Review, they started adding the following behaviors, and made the apps capable of enumerating the list of installed apps or get the frontmost app name, getting the platform serial number, enumerating devices and get serial numbers of peripherals, and getting the user’s AppleID (email).
“They also use the same obfuscation to hide calls to retrieve the advertising ID, which is allowable for tracking ad clicks, but they may be using it for other purposes since they went to the trouble to obfuscate this,” they said.
SourceDNA researchers weren’t the only ones who spotted this anomaly. A group of researchers from Purdue University, Indiana, discovered the same pattern and attributed it to the Youmi SDK. They also proposed a new iOS application vetting system that should detect this type of attack.
Apple removed an unspecified number of apps from the App Store following this discovery.
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines,” the company said.
“The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
Youmi issued an apology for creating the data-slurping SDK and said they are working with Apple to resolve the issue.