Home How The Wrong SDK Can Get You Booted From The App Store

How The Wrong SDK Can Get You Booted From The App Store

Apple has removed more than 250 apps from its App Store for their use of a sketchy third-party advertising SDK (software development kit), which was in breach of the company’s security and privacy guidelines. According to a report by Ars Technica, the kit collected a host of personally identifying information about users, and the matter was first flagged up by security analytics firm SourceDNA

SourceDNA notes that the unauthorized data gathering was surreptitious, so much so that most developers were probably in the dark about what was going on. The practice also escaped the attention of Apple, which screens all iOS apps before they’re made available for download—indeed it prides itself on the safety and security of this curated approach. 

An official statement from Apple reads: 

We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs [application programming interfaces] to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected.

Apple promises to help affected developers update their apps so that they’re “safe for customers” and “in compliance with our guidelines”—though, of course, it can’t let the apps remain live in the meantime. Most of the apps hail from China, as does Youmi, and the official Chinese language app for McDonald’s restaurants is believed to be one of those involved.

“This is the first time we’ve found apps live in the App Store that are violating user privacy by pulling data from private APIs,” SourceDNA’s Nate Lawson told the tech blog. “This is actually an obfuscated toolkit for extracting as much private information as it can. It’s definitely the kind of stuff that Apple should have caught.” 

See also: It’s Time For Deep Linking To Move Past The Plumbing

According to SourceDNA, the Youmi SDK was able to pull information that included a list of all the apps installed on the phone, the platform serial number of devices running older iOS versions, a list of individual hardware components inside devices running newer iOS versions, and the email address associated with the user’s Apple ID. Around one million people are believed to have been at risk from this background data harvesting.

Bypassing Apple’s Protections

For developers, the moral of the story is: Choose your SDKs and plugins wisely. As for Apple, the company might want to reassess and improve its app scanning procedures.

“Given how simple this obfuscation is and how long the apps have been available that have it, we’re concerned other published apps may be using different, but related approaches to hide their malicious behavior,” explains the SourceDNA team in a blog post. “We’re continuing to add new features to our engine to discover anomalous behavior in app code.”

The past few months haven’t been very good for Apple as far as App Store security is concerned. In September, dozens of apps were found to contain malicious code that had the potential to steal sensitive user information—this time a modified compiler called XcodeGhost was to blame, and again developers may not have been any the wiser that the tools they were using were theoretically dangerous to users.

Meanwhile, earlier in October, a handful of iOS apps were booted out of the App Store for containing the ability to compromise encrypted connections. Although none of the apps were named by Apple, it seems in this case, the developers were at fault for overstepping the mark.

Apple’s walled garden is known for being several notches safer than the Google Play Store, but are cracks in its security gate beginning to appear? Even Apple’s engineers and scanning algorithms can be fooled, it would seem, though a few hundred apps in 1.5 million isn’t a bad percentage. 

As for developers, sticking with trusted tools is the best way of avoiding getting caught up in an App Store security scandal.

Images courtesy of Apple

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.