A Chinese mobile-advertising company has expressed regret for distributing code that allowed several applications on Apple Inc.’s iOS mobile system to gain access to users’ personal data, in violation of Apple’s App Store policy.
The Wall Street Journal reported that Youmi Mobile Technology Co. has offered its "sincere apologies" in a statement released on Tuesday, Oct. 20, after Apple had removed offerings from the App Store that were found to be collecting and extracting email addresses, device identification and other private information.
Youmi said in the statement that it was working with Apple to resolve the issue.
Researchers with a U.S. security company, SourceDNA, said Sunday, Oct. 18, that they have found 256 apps involved in the data collection, which all used software produced by Youmi.
SourceDNA said in a blog post that the apps had been downloaded roughly one million times, adding that the apps' developers, who were mostly from China, were not probably aware of the problem.
According to Apple's statement, the collection of personal data was a violation of the company's security and privacy guidelines, and the company would reject any new apps submitted to the App Store using Youmi's software development kit.
"We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly," the statement said. Apple declined to say how many apps it had taken down.
The report said that it was the second time that China-related App Store security vulnerability was exposed in the past month.
In September, dozens of the most popular Chinese-language iOS apps were also removed by Apple after security researchers discovered malicious software, dubbed XcodeGhost, that was embedded in a version of Apple's developer tool kit. The infected apps seemed to have slipped past Apple's security review process in both cases, the report added.
SourceDNA said that in the most recent breach, compromised apps collected user data by using a software communication system called a private application-programming interface, or private API. The use of private APIs in iOS apps is banned by Apple.
The security company said that Youmi developers have begun experimenting this method of extracting data almost two years ago.
In a statement released later Tuesday, Oct. 19, Youmi said it respected privacy rules and denied collecting users' personally identifiable information. The company said that the aim of the software was to protect advertisers and developers against fraud.
"It's not a 'security breach' as some one-sided media have reported," the statement said.
Youmi promised to compensate owners of apps that were removed by Apple.