The apps, which at most recent count totaled 256, are significant because they expose a lapse in Apple's vetting process for admitting titles into its highly curated App Store. They also represent an invasion of privacy to the one million people estimated to have downloaded the apps. The data gathering is so surreptitious that even the individual developers of the affected apps are unlikely to know about it, since the personal information is sent only to the creator of the software development kit used to deliver ads.
"This is the first time we've found apps live in the App Store that are violating user privacy by pulling data from private APIs," Nate Lawson, the founder of security analytics startup SourceDNA, told Ars, referring to the application programming interfaces built into iOS. "This is actually an obfuscated toolkit for extracting as much private information as it can. It's definitely the kind of stuff that Apple should have caught."
Update on Oct 19, 2015 6:19am PDT (14:19 BST): Shortly after this post went live on Ars, Apple released the following statement confirming the SourceDNA findings:
"We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly."
The discovery comes five weeks after a separate security firm reported dozens of iOS apps that also collected user data, including the OS version, time zone, and the specific name of the app that was collecting this data. Lawson said that none of those require accessing private frameworks and that normal ad libraries regularly do the same thing. Lawson said all the information collected by these so-called XcodeGhost apps were things allowed by Apple and didn't involve using restricted programming interfaces built into iOS.
The XcodeGhost apps did have the ability to open URLs specified by a command and control server, and that could have been used to carry out malicious actions on an affected iPhone. But once again, Lawson said that no private API was involved and that the opening of URLs is already carried out by legitimate apps. "When you click on a URL in your browser and the Yelp app opens to that restaurant, that’s what it’s doing," he explained. Apple ultimately removed the apps because all of the actions were done under the control of an unknown third party.
The discovery also comes one week after Apple removed several apps that had the ability to spy on encrypted traffic. Apple's admission that its App Store hosted apps that installed such root certificates that could bypass the transport layer security protections of other apps almost certainly exposed a separate hole in the company's security vetting process.
The 256 apps detected by SourceDNA, by contrast, are accessing data that is explicitly forbidden by Apple's App Store rules, Lawson said. The advertising tool kit that acquires the data is provided by Youmi, a company that's not easy to contact, since its website is written almost entirely in Chinese. Most or all of the apps that use the kit are similarly Chinese-based, including the official McDonald's restaurant app for Chinese speakers.
SourceDNA researchers found four major classes of information gathered by apps that use the Youmi ad SDK. They include:
A list of all apps installed on the phone
The platform serial number of iPhones or iPads themselves when they run older versions of iOS
A list of hardware components on devices running newer versions of iOS and the serial numbers of these components, and
The e-mail address associated with the user’s Apple ID
The data gathering has taken place gradually over the past year or so. It started out relatively mildly by gathering only the app list. Over time, the data collection has grown increasingly more invasive until it reached its current version, which gathers device and hardware serial numbers and e-mail addresses. The collection of serial numbers for cameras and other hardware components came after Apple locked down the unique identifiers of iPhones and iPads. But ultimately, Lawson said, the measure provides little privacy protection. By collecting the serial numbers of the components, Youmi is still able to obtain a unique fingerprint of each attached iDevice.
The developer kit is made available as a binary file that uses a digital cloak of sorts to obscure the data-gathering functions from the developers who incorporate the Youmi code into their apps. Youmi representatives "don't tell developers that they're doing all this stuff," Lawson explained. "McDonald's in China didn't do this on purpose. They installed this SDK to show ads, and the SDK vendor is using that privileged position in the app to collect data on all users who use their app."
Except for the McDonald's app, the SourceDNA blog post announcing the discovery doesn't list the offending apps by name, although Lawson said the company has privately provided a list to Apple representatives. It wouldn't be surprising to see Apple remove them from the App Store or at least require the developers to provide updated versions that don't use the Youmi SDK. Still, even if those apps are removed, the episode raises the question of whether other iOS apps are actively doing the same thing.