Not only is it a problem for Apple, it’s a problem for the one million people estimated to have downloaded the apps. The way the data was gathered was so sneaky that it’s probable that the individual app developers didn’t know about it. Why? Because the data that’s gathered is only sent to the creator of the software development kit that’s used to deliver ads.
Nate Lawson, the founder of the security analytics startup SourceDNA, told Ars, "This is the first time we've found apps live in the App Store that are violating user privacy by pulling data from private APIs." Lawson went on to say this issue is something Apple shouldn't have missed.
Earlier this morning, Apple released a statement confirming what SourceDNA found:
"We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly."
Apple has removed problematic apps from the App Store before, such as apps that spied on encrypted traffic, but this current issue is worse. The content accessed by the over 250 apps SourceDNA discovered is explicitly forbidden in the App Store rules. And to make matters a little more complicated, Youmi is a difficult company to contact because its website is written mostly in Chinese. A list of the impacted apps hasn't been made public.