SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
20 Oct 2015

Researchers find 256 iOS apps that collect users’ personal info

Researchers said they've found more than 250 iOS apps that violate Apple's App Store privacy policy forbidding the gathering of e-mail addresses, installed apps, serial numbers, and other personally identifying information that can be used to track users.

The apps, which at most recent count totaled 256, are significant because they expose a lapse in Apple's vetting process for admitting titles into its highly curated App Store. They also represent an invasion of privacy to the one million people estimated to have downloaded the apps.

The data gathering is so surreptitious that even the individual developers of the affected apps are unlikely to know about it, since the personal information is sent only to the creator of the software development kit used to deliver ads. "This is the first time we've found apps live in the App Store that are violating user privacy by pulling data from private APIs," Nate Lawson, the founder of security analytics startup SourceDNA, told Ars, referring to the application programming interfaces built into iOS. "This is actually an obfuscated toolkit for extracting as much private information as it can. It's definitely the kind of stuff that Apple should have caught."

Apple released the following statement confirming the SourceDNA findings: "We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly."

The discovery comes five weeks after a separate security firm reported dozens of iOS apps that also collected user data, including the OS version, time zone, and the specific name of the app that was collecting this data. Lawson said that none of those require accessing private frameworks and that normal ad libraries regularly do the same thing. Lawson said all the information collected by these so-called XcodeGhost apps were things allowed by Apple and didn't involve using restricted programming interfaces built into iOS.

The XcodeGhost apps did have the ability to open URLs specified by a command and control server, and that could have been used to carry out malicious actions on an affected iPhone. But once again, Lawson said that no private API was involved and that the opening of URLs is already carried out by legitimate apps. "When you click on a URL in your browser and the Yelp app opens to that restaurant, that’s what it’s doing," he explained. Apple ultimately removed the apps because all of the actions were done under the control of an unknown third party.

The discovery also comes one week after Apple removed several apps that had the ability to spy on encrypted traffic. Apple's admission that its App Store hosted apps that installed such root certificates that could bypass the transport layer security protections of other apps almost certainly exposed a separate hole in the company's security vetting process.

The 256 apps detected by SourceDNA, by contrast, are accessing data that is explicitly forbidden by Apple's App Store rules, Lawson said. The advertising tool kit that acquires the data is provided by Youmi, a company that's not easy to contact, since its website is written almost entirely in Chinese. Most or all of the apps that use the kit are similarly Chinese-based, including the official McDonald's restaurant app for Chinese speakers.

SourceDNA researchers found four major classes of information gathered by apps that use the Youmi ad SDK. They include:

  1. A list of all apps installed on the phone
  2. The platform serial number of iPhones or iPads themselves when they run older versions of iOS
  3. A list of hardware components on devices running newer versions of iOS and the serial numbers of these components, and
  4. The e-mail address associated with the user’s Apple ID
     

The data gathering has taken place gradually over the past year or so. It started out relatively mildly by gathering only the app list. Over time, the data collection has grown increasingly more invasive until it reached its current version, which gathers device and hardware serial numbers and e-mail addresses. The collection of serial numbers for cameras and other hardware components came after Apple locked down the unique identifiers of iPhones and iPads. But ultimately, Lawson said, the measure provides little privacy protection. By collecting the serial numbers of the components, Youmi is still able to obtain a unique fingerprint of each attached iDevice.

The developer kit is made available as a binary file that uses a digital cloak of sorts to obscure the data-gathering functions from the developers who incorporate the Youmi code into their apps. Youmi representatives "don't tell developers that they're doing all this stuff," Lawson explained. "McDonald's in China didn't do this on purpose. They installed this SDK to show ads, and the SDK vendor is using that privileged position in the app to collect data on all users who use their app."

Except for the McDonald's app, the SourceDNA blog post announcing the discovery doesn't list the offending apps by name, although Lawson said the company has privately provided a list to Apple representatives. It wouldn't be surprising to see Apple remove them from the App Store or at least require the developers to provide updated versions that don't use the Youmi SDK. Still, even if those apps are removed, the episode raises the question of whether other iOS apps are actively doing the same thing.

Tags:
surveillance Apple iOS
Source:
Ars Technica
2175
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015