In an unprecedented move, Apple has pulled more than 250 apps from their iPhone App Store after security analysts discovered they had been secretly collecting personal information that could be used to identify and track users. The apps in question managed to get past Apple’s rigorous vetting process, despite being in violation of the company’s own privacy policies. It is estimated that more than one million iPhone owners may have had their personal data compromised via one or more of these apps, making this one of the largest scale security breaches in Apple’s history.
Security analysts at Source DNA have determined that more than 250 apps in the Apple App Store have been using a third party advertising SDK (software development kit) to gather iPhone owner’s private information. That information, consisting mostly of e-mail addresses and device identifiers, was being routed directly to a company server belonging to Youmi, a mobile ad provider located in China. According to Nate Lawson, founder of Source DNA, “This is the first time we’ve found apps live in the App Store that are violating user privacy by pulling data from private APIs.” While he admits that this is something Apple should have caught it the vetting process, Lawson concedes that it’s an extremely difficult security breach to identify. Even the developers of the affected apps would have been unlikely to know that the third party SDK they were using linked to a fraudulent server, and most, if not all, were no doubt using the development kit in good faith. Still, the fact that the breach went undetected by Apple is more than a mere embarrassment for the company, and it has put millions of iPhone owners at an increased risk for data theft.
Of course, a number of iOS apps routinely collect user data as a form of payment, which can be monetized when sold to partnering advertisers. But in these cases the type of data is highly regulated, and users must agree to the data collection when downloading the app. In most cases the information collected consists of nothing more than birth dates and user locations, which are used to target advertising campaigns. However, in this case the apps singled out by Source DNA have been collecting data that is expressly forbidden by Apple’s App Store guidelines, and can result in more than a barrage of annoying adverts. For example, e-mail addresses can potentially be used to access other online accounts, up to and including active bank accounts.
Apple have responded quickly to the discovery of the security breach, releasing the following statement:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly”
While Apple has been quick to respond to the crisis, it highlights some growing concerns over the tech giant’s current security procedures. This is the third time in as many months that Apple has had to pull apps from its App Store due security issues. As widely reported in the trades, as well as in the popular press, Apple was recently hit by the XcodeGhost malware attack which forced them to remove upwards of 30 infected apps from their online stores. This was soon followed by an as yet named man-in-the-middle attack on encrypted data that forced the removal of several more apps. Apple has always prided themselves in providing state of the art security for their customers, and it has long been a major selling point for the brand. However, with yet another security crisis coming to light, it suggests that it is time for Apple to tighten up their vetting process or risk losing their hard won reputation.