Hundreds of iPhone apps to be removed from Apple App Store for illegally collecting your private information. Researchers find that 256 apps were violating Apple's privacy policy by collecting data like users' email addresses and phone IDs,..
Hundreds of iPhone apps to be removed from Apple App Store for illegally collecting your private information
Researchers find that 256 apps were violating Apple's privacy policy by collecting data like users' email addresses and phone IDs
Security analysts have found that at least 256 apps in the iOS App store are secretly gathering iPhone owners' e-mail addresses, unique serial numbers, and other personally identifying information that can be used to track users.
Apple's App store usually has a very tight vetting process and a strict privacy policy regarding personal data collection. But security analytics company Source DNA told Ars Technica that the data gathering is so surreptitious that even the individual developers of the affected apps are unlikely to know about it, since the personal information is sent only to the creator of the software development kit used to deliver ads in these apps.
The software developer that was siphoning off the private information of hundreds of thousands of people was a Chinese mobile ad provider called Youmi. Apps affected were mostly China-based, including the official McDonalds app for Chinese speakers.
"This is the first time we've found apps live in the App Store that are violating user privacy by pulling data from private APIs," Nate Lawson, founder of Source DNA told the technology site. "It's definitely the kind of stuff that Apple should have caught."
The researchers estimated that roughly one million people have downloaded the apps in total.
Several free iOS apps do collect user data as a form of payment, which they encash by selling to advertisers. For instance, the Flashlight app was found to be collecting and selling user locations, and fitness app Endomondo shares your date of birth and location with advertisers.
But the 256 apps detected by SourceDNA, by contrast, are accessing data that is explicitly forbidden by Apple's App Store rules, Mr Lawson said. Your email address for instance, acts as a gateway for multiple online accounts including potentially your bank accounts.
In response to these findings, Apple issued a statement confirming them.
"We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server.
This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
This discovery comes only weeks after dozens of popular apps in Apple's App store in China were hacked using a malicious code, known as XCode Ghost, in an attempt to steal user data. The list of infected apps includes some of the most popular apps in China, including the ride-hailing app Didi Kuaidi and WeChat, which has roughly 500m users.
Both these attacks are quite unprecedented, since the Apple App Store has always been known for its security: it is extremely selective about the apps it makes available, and tries to ensure that App Store titles are safe and securely designed - although Apple has never disclosed its security measures or vetting process.
Private data gathered by the apps
1. A list of all apps installed on the phone
2. The platform serial number of iPhones or iPads themselves when they run older versions of iOS
3. A list of hardware components on devices running newer versions of iOS and the serial numbers of these components
4. The e-mail address associated with the user’s Apple ID
The data wasn't all stolen in one fell swoop. It took place gradually over the past year or so. According to Mr Lawson, it started out with only the app list and has grown increasingly more invasive until it reached its current version, which gathers device and hardware serial numbers and e-mail addresses.
High profile hacks
Heartbleed bug was found in 2014
In the last year alone, hackers have wreaked havoc on a number of high-profile brands:
eBay (2014): eBay asked 145m users to change their passwords after hackers stole customers' names, addresses, numbers and dates of birth
Heartbleed (2014): A serious vulnerability was discovered in encryption technology used to protect many of the world's major websites, leaving them vulnerable to data theft
Sony (2014): A cyber attack on Sony Pictures Entertainment resulted in a huge data leak, including private details of 47,000 employees and several famous actors
US Central Command (2015): Hackers claiming links to Isil managed to take control of CentCom's Twitter and YouTube accounts, changing the logo to an image of a hooded fighter
Ashley Madison (2015): Hackers threatened to publish the names of up to 37m customers signed up to AshleyMadison.com - a dating website for adulterous.