Security analysts have found that at least 256 apps in the iOS App store are secretly gathering iPhone owners' email addresses, unique serial numbers and other personally identifying information that can be used to track users.
Apple's App store usually has a very tight vetting process and a strict privacy policy regarding personal data collection.
But security analytics company Source DNA told Ars Technica that the data gathering is so surreptitious that even the individual developers of the affected apps are unlikely to know about it, since the personal information is sent only to the creator of the software development kit used to deliver ads in these apps.
The software developer that was siphoning off the private information of hundreds of thousands of people was a Chinese mobile ad provider called Youmi. Apps affected were mostly China-based, including the official McDonald's app for Chinese speakers.
"This is the first time we've found apps live in the App Store that are violating user privacy by pulling data from private APIs," Nate Lawson, founder of Source DNA said. "It's definitely the kind of stuff that Apple should have caught."
The researchers estimated that roughly one million people have downloaded the apps in total.
Several free iOS apps do collect user data as a form of payment, which they encash by selling to advertisers.
But the 256 apps detected by SourceDNA, by contrast, are accessing data that is explicitly forbidden by Apple's App Store rules, Lawson said. Your email address, for instance, acts as a gateway for multiple online accounts including potentially your bank accounts.
In response to these findings, Apple issued a statement confirming them.
"We've identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server," the company said. "This is a violation of our security and privacy guidelines. The apps using Youmi's SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected."
Private data gathered by apps
• All apps installed.
• The platform serial number of iPhones or iPads when they run older versions of iOS.
• A list of hardware components on devices running newer versions of iOS, and serial numbers.
• The email address associated with the user's Apple ID.