Youmi’s code calls the list of all the apps you have installed on your phone, the email associated with your Apple ID, the serial numbers of the peripherals inside your device, and if you’re running an older version of iOS, the SDK can call the platform serial number of your device.
Why this matters: This is the third time in the last month that shady code has been discovered in Apple-approved iOS apps. Developers using an infected version of Apple’s Xcode, which is used to build iOS apps, were unknowingly allowing malware to potentially phish your iCloud and Apple ID information. The malware also had the ability to access your clipboard, which could have had major ramifications for people who use password management apps. Earlier this month, Apple found that some content-blocking apps were installing root certificates on your iPhone to block ads in other apps, not just Safari. Those apps were pulled, too.
Apple’s on it
Apple is now aware of the situation, confirming to Ars Technica that it will remove the apps using Youmi’s SDK from the App Store and reject any future apps using the SDK:
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”
SourceDNA found 256 apps using the SDK. Those apps, mostly out of China, have been downloaded approximately 1 million times. Developers probably didn’t realize Youmi’s SDK was pulling private data, the analytics firm said, because the info the app collects is routed to Youmi’s server, not the app’s. This has has been going on for more than a year.