The common misconception about Apple products is that they are safe — no viruses, malware, or any other sneaky software running in the background. But it’s simply not true.
The apps were violating privacy by pulling data from private APIs, in a breach so secret that the app developers themselves are not likely to have known about it. Chinese company Youmi reportedly accessed the apps’ private APIs through a third-party advertising SDK that stored the data and sent it to its own servers, and apparently Youmi’s been pulling data from devices for about two years now, reports Ars Technica. (Via)
So Youmi was writing shady code in their apps in order to fool the App Store approval process. And it looks like it was working. They have since updated their approval process to prevent this specific type of data gathering and released a statement about the security breakdown:
We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses and device identifiers, and route data to its company server. This is a violation of our security and privacy guidelines. The apps using Youmi’s SDK have been removed from the App Store and any new apps submitted to the App Store using this SDK will be rejected. We are working closely with developers to help them get updated versions of their apps that are safe for customers and in compliance with our guidelines back in the App Store quickly.
SourceDNA didn’t provide the public with a list of the offending apps, but did provide the list to Apple.