Hundreds of apps equalling one million downloads from Apple's App Store have secretly gathered personal user and device information and uploaded the data to a server in China, researchers have discovered.
Code vetting firm SourceDNA scanned apps for private application programming interface (API) usage, a practice that Apple explicitly bans.
The firm's researchers found 256 apps had managed to bypass Apple's strict security and privacy requirements for App Store, and silently collected personal data.
The apps in question use the Chinese-developed Youmi advertising software development kit (SDK).
SourceDNA believes the developers of the privacy-busting apps were not aware the Youmi SDK rifled through users' personal and device data.
The researchers said the SDK comes as an obfuscated binary making it difficult to work out what exactly it does, and the user data collected is uploaded to a Youmi server in China.
SourceDNA warned developers to take greater care when they use third-party SDKs, given the responsibility for how it affects users lies with them.
The private APIs would collect which apps the user had installed on an iDevice. They would also access the platform serial number, which Apple has banned since version 8 of its iOS mobile operating system.
The Youmi SDK would also grab users Apple ID email address. The information collection may have taken place for as long as two years, SourceDNA said.
After discovering the breach, SourceDNA reported the privacy-violating apps to Apple, which responded by removing all programs that use the Youmi SDK.
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server," Apple said.
"This is a violation of our security and privacy guidelines.
"The apps using Youmi’s SDK will be removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected."
This is the second time in a month Apple's App Store has been found to contain malicious code.
In September this year, some 344 apps were found to have used a "tainted" or fake version of Apple's Xcode development environment.
Apple removed the apps, and earlier this month took down "a few apps" from the App Store that installed root certificates for SSL/TLS secured traffic, which meant they could be used to intercept encrypted data.