Apple has pulled several apps from its store, following security researchers’ findings that hundreds of iOS apps have been accessing users’ private data.
In a report published Sunday, researchers at security firm SourceDNA said they found 256 apps that were violating Apple’s security guidelines by using software that was able to collect users’ personal information, including their email and device identification numbers.
SourceDNA did not name the affected apps but said most were from developers in China. The source of the issue, according to the company, was a software development kit (SDK) from Youmi, a Chinese advertising company. Youmi’s advertising SDK was accessing user data, including email addresses, device serial numbers and a list of downloaded apps, and uploading the data to its own server, according to Apple and SourceDNA.
SourceDNA’s researchers said it seems the developers of the apps in question didn’t know the SDK was being used to collect personal information from their users. Apple prohibits developers from using application program interfaces (APIs) that collect this type of private data, but researchers said Youmi appears to have begun slipping them into its software nearly two years ago, after its software made it through Apple’s initial review process.
In a statement given to SourceDNA, Apple confirmed it had “identified a group of apps” using the SDK in question that violated the company’s security guidelines. The company said it removed the apps and was “working closely” with affected developers to help them get their apps back in the store. Apple did not specify how many developers were affected or how many apps had been removed.