Apple has confirmed a purge of 256 apps, mostly from the Chinese App Store, that used a private API built by mobile advertising firm Youmi that collected personal data from the iPhone or iPad.
Originally spotted by SourceDNA, Youmi baked tracking and collection tools into the advertising API without telling developers. Apple is working with the affected developers to get the apps back on the market, which total 1 million downloads.
Youmi was able to collect device serial numbers, apps installed, and Apple ID email addresses. This information can be sold on the black market for a price, especially the email addresses that spammers could use to pretend to be Apple.
The advertising API was incapable of much else however, which hopefully means even iPhones and iPads that aren’t updated won’t be hit with malicious attacks. Apple is working to make sure all users affected are safe and updated to the latest version of iOS.
It is one of the rare occasions the review team failed to spot a non-verified API. In China, development is much less centered around Xcode, meaning developers can sometimes download fake APIs without knowing.
Apple has cautioned developers in the past about developing outside of Xcode. It claims that those apps are more vulnerable to malicious attacks, which stem from Apple being unable to verify the contents. Proof of this happened last month, when 25 apps including Tencent’s WeChat and Baidu Music were pulled for using a fake version of Xcode.
Another malicious app offered users the ability to use a defunct media player, which, once downloaded, ran full-page Safari ads and blocked users from removing it. At home in the U.S., Apple also removed a bunch of apps that offered a way to block native ads inside of apps, most notably the controversial app Been Choice.