An estimated 256 mobile apps are to be removed from the iOS App Store after a report found them to be illegally lifting data from users.

Security analytics group Source DNA found a number of titles to be running a software development kit (SDK) from Chinese advertising company Youmi to obtain personally identifiable information such as device serial numbers, email addresses and Apple IDs. 

As these are not available to collect under terms listed in the App Store rulebook, Apple has issued a statement confirming the removal of any apps using the Youmi SDK after verifying the contents of the report.

While there would have been potential for the data to be sold to advertisers, analysts have also pointed to the fact that information like email addresses can be used to access numerous online accounts, for banking, social networks and others. 

Security breach

Apple’s decision to remove the apps so soon after the report was delivered may paint the company in a positive light. However, the report indicates an air of damage limitation from the group given that over one million people may have downloaded the titles. 

Reports from the Guardian add weight to rumours that most of the apps are from Youmi’s native China, with one of the most high-profile victims being the country’s official McDonalds app.

Source DNA founder Nate Lawson told Ars Technica the activity was “definitely the kind of stuff that Apple should have caught”.

In response, the tech giant has released a statement covering the steps to take in the aftermath of the report being released.

It confirms a “violation of our security and privacy guidelines”, going on to state: “The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. 

“We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.”

Meanwhile, Apple will be expected to carry out additional checks on some of the data-mining activity behind its 1.5 million App Store titles after Source DNA failed to rule of the possibility of more apps engaging in unscrupulous behaviour.