The iOS private APIs that were found to share users data among apps has also been found in the Android store. The iOS vulnerability Quicksand was found by Appthority. The Appthority Enterprise Mobility Team uncovered this violation and determined that it impacts all iOS users who have mobile device management (MDM) applications on their phones.
This latest vulnerability, Youmi advertising software development kit, was discovered by Symantec.
This same threat has been discovered to be used in Android development as well and according to Symantec, has been blocked by them since February 2015. These types of attacks where an entire device is made vulnerable because of one corrupted app on the phone, are becoming more and more common. They are especially harmful to enterprise users, because employees will download public apps even on corporate devices such as weather apps and messaging apps.
“The Youmi advertising software development kit (SDK) that was responsible for 256 iOS apps being pulled from the Apple App Store is also used in Android app development and has been blocked by Symantec and Norton products since February 2015.
Analysis of the Android variant of Youmi (detected by Symantec as Android.Youmi) flagged it as a potentially unwanted application since it performed a range of actions that could compromise the user’s privacy.”
“We’ve found hundreds of apps in the App Store that extract personally identifiable user information via private APIs that Apple has forbidden them from calling. This is the first time we’ve seen iOS apps successfully bypass the app review process. But, based on what we learned, it might not be the last.”
The Youmi ad library was found sending the following information to a remote location:
- Device location (such as GPS coordinates and cell tower location)
- Device-identifying information (such as International Mobile Station Equipment Identity (IMEI), kernel version, phone manufacturer, or phone model details)
- Network operator location
- Phone number
The ad library was also found to download and request the installation of new applications and create shortcut advertisements on the home screen or in the application list.
App analytics firm SourceDNA this week found that 256 iOS apps containing Youmi on the App Store were sending back personal and device information on users without their knowledge or consent. This included:
- A list of all applications installed on the iOS device
- The platform serial number of iPhones and iPads running older versions of iOS
- A list of hardware components and the serial numbers for devices running new versions of iOS
- The Apple ID email address associated with the iOS device
For more information, visit the full report made by Symantec.