Apple today removed more than 250 apps from its App Store that were using software from a Chinese advertising company that secretly accessed and stored users' personal information. The firm, called Youmi, provided app makers with a software development kit that would glean which apps a user had downloaded, that user's email address, and the serial number of their smartphone, according to mobile security company SourceDNA. The apps in total received 1 million downloads.

The app makers that relied on Youmi's SDK, most of which are ​based​ in China, may not have knowingly violated Apple's security and privacy guidelines. "We believe the developers of these apps aren’t aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi’s server, not the app’s. We recommend developers stop using this SDK until this code is removed," reads SourceDNA's blog post.

Youmi's SDK had user data sent to its own private server

It's unclear how Youmi's SDK didn't raise red flags at Apple. SourceDNA thinks the ad company has likely been experimenting for years with ways to tap into iOS's restricted application programming interfaces (APIs) to gather info only Apple should be able to view. That would normally prevent an app from making it through the review process. Yet as Youmi tested the limits of its SDK, it appears to have slipped through somehow and begun bolder data collection.

SourceDNA only discovered Youmi's SDK when updating its own product, called Searchlight, that inspects apps for security and privacy violations. The instance, though isolated, may have broader implications for Apple. "We’re concerned other published apps may be using different but related approaches to hide their malicious behavior," SourceDNA's blog post states.

In a statement provided to The Verge, Apple says all apps relying on the SDK have been removed. It's now working with developers to ensure their software is in compliance with the App Store guidelines: