Zombie iOS APIs used to slurp private data

Apple in 'security by obscurity doesn't work' non-shock

Sad iPhone

Up to a million iOS users' Apple IDs and device serial numbers were harvested by a software development kit (SDK) that accessed so-called “private APIs”.

The information harvested by the Youmi advertising SDK from China was then sent back to Youmi servers, according to SourceDNA.

Private APIs are hooks that exist in iOS, but which Cupertino doesn't publish, and sternly warns must not be used in user applications. It enforces the ban by refusing to list apps on the Apple Store if they call those APIs – or even if developers happen to give their own methods the same name as the private APIs.

Code analyst outfit SourceDNA says the Youmi SDK's developers worked out how to hide the use of private APIs, and as a result, applications that used the SDK became proxy data-harvesters for Youmi.

From SourceDNA:

We found four main groups of private APIs these apps are calling:
Enumerate the list of installed apps or get the frontmost app name
Get the platform serial number
Enumerate devices and get serial numbers of peripherals
Get the user’s AppleID (email)

The Youmi SDK has been used in at least 256 apps, the analysis says, that have been downloaded by an aggregate million users.

SourceDNA reckons the Youmi experiments with private APIs started about two years ago, and once its developers decided Apple hadn't seen what they were doing, they spread their wings to start gathering the information in the list above.

One API the Youmi developers couldn't get past is Apple's block on reading a device's serial number, so to create a unique identifier for the data they were gathering, the SDK slurped numbers from peripherals like the battery system and used those as the index.

Apple told SourceDNA all apps that used Youmi have been pulled from the store, and future apps using it will be rejected. “We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly”, Cupertino said.

SourceDNA notes that similar behaviour was independently observed by the authors of this ACM paper using a tool called iRiS, developed at Purdue University. ®

Sponsored: Detecting cyber attacks as a small to medium business


Biting the hand that feeds IT © 1998–2020