SourceDNA relied on a new developer tool it created called Searchlight to sift through the App Store. (SourceDNA also pokes around the Google Play Store for security holes.) Searchlight seeks out apps that use private APIs, which is a verboten practice. The firm picked out 256 apps affected, which have collectively been downloaded about one million times using a specific version of the Youmi SDK that relies on private APIs. SourceDNA believes the developers behind the impacted apps, the majority of whom are located in China, were likely unaware of the issue.
"Apple has been locking down private APIs, including blocking apps from reading the platform serial number in iOS 8," explained SourceDNA in a blog post. "Youmi worked around this by enumerating peripheral devices, such as the battery system, and sending those serial numbers as a hardware identifier."
The data scored by the Youmi ad SDK is significant. SourceDNA says the data included: a list of all the apps installed on the iOS device; the platform serial number of the iOS device when running older versions of iOS; a list of hardware components (including serial numbers) installed on devices running newer versions of iOS; and the email address associated with the owner's Apple ID. The data was not snagged all at once; instead, it was lifted piecemeal over the last twelve months or so.
SourceDNA provided Apple with the list of offending apps, one of which is the official McDonald's app for China. Developers can check to see if their app is impacted by using SourceDNA's Searchlight tool.
"We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines," said Apple in a statement.
The statement continued, "The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly."
At the moment, there's no clear indication of how many of the million downloads resulted in data being routed to Youmi's servers. Apple didn't say whether or not consumers should be concerned.