Youmi, the China-based mobile advertising provider whose software development kit (SDK) uses private APIs to collect user and device information is the latest cause of potentially malicious apps fooling Apple App Store's quality control process. Apple bans app developers from having their apps call private APIs, a behaviour normally caught when the app is in the approval process to be included in the App Store.
SourceDNA advised Apple about the issue and discovered that 250+ apps with an approximate total of one million downloads have been built on the SDK. Researchers at SourceDNA said, “The older versions (of the SDK) do not call private APIs, so the 142 apps that have them are ok. But almost two years ago, we believe the Youmi developers began experimenting with obfuscating a call to get the frontmost app name.”
Following this discovery, Apple has removed an undefined number of apps from the App Store. “We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines,” Apple stated. The company also advised that any new apps submitted to the App Store using the Youmi SDK will be rejected.
Youmi issued an apology for creating the data-collecting SDK and is working with Apple to resolve the issue. ZDNet reported that “reasonable compensation” is being offered to app developers whose apps were removed from the App Store due to using the SDK.