Apple's App Store vetting process has suffered another major blow after it emerged on Monday that hundreds of apps had been secretly collecting user data. Researchers speaking to ArsTechnica found 256 iOS apps in question, with a combined estimated total of 1 million downloads. The researchers did not name the apps but noted their developers are mostly based in China.
The researchers, from security analytics firm SourceDNA, found the apps were gathering the email addresses linked to the device's Apple ID, the serial number of the device (only in versions prior to iOS 8), the serial numbers of the internal hardware components and the names of installed apps.
In a statement, Apple said the targeted apps will be removed from the store and any future submitted apps similarly afflicted would be rejected. "We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly," the company said.
Apple explained that the apps had been using a third-party advertising software development kit (SDK) created by a mobile advertising provider called Youmi. This SDK used private application programming interfaces (APIs) to pull together the user-identifiable information. The SDK then took that information and sent it to Youmi's servers. SourceDNA noted that due to the nature of the breach, the app developers are unlikely to know what the SDK was up to.
The news follows the App Store's first-ever malware problem, revealed in September, in which select apps had been developed using a tampered version of Xcode. Developers normally download the developer tool for free from Apple, but some had chosen to download the software from a third party due to slow download speeds from official Apple sources. Apple responded by removing the infected apps.