Apple has removed a top-rated paid anti-malware app Adware Doctor from its Mac App Store after it was found collection users browsing histories and other sensitive details, and sending it to China.
According to a well-known Apple security researcher Patrick Wardle, the app collected users web login history, app logs, and other security data from the devices it was installed on. The app collected data from Chrome, Firefox, or Safari, and converts it into a zip file, and then send it to a server in China.
“We tore apart Adware Doctor - one of the top grossing apps in the official Mac App Store. This research (original credit: @privacyis1st) uncovered blatant violations of users' privacy and complete disregard of Apple's App Store Guidelines,” Wardle wrote in a blog. “There is rather a massive privacy issue here. Let’s face it, your browsing history provides a glimpse into almost every aspect of your life.”
Although, unlike other apps, Adware Doctor ask for permission to access users' files.
“Once the user has clicked ‘allow,’ since Adware Doctor requested permission to the user’s home directory, it will have carte blanche access to all the user’s files,” Wardle said.
However, Apple took over a month to remove the app from the store. Even though Wardley informed Apple about Adware Doctor’s breach of MacOS security protocols, it remained ranked fourth paid app on the App Store.
“The fact that application has been surreptitiously exfiltrating users' browsing history, possibly for years, is, to put it mildly, rather f#@&'d up! Beyond its mistreatment and blatant disrespect of user data, the fact that Adware Doctor "dances around" the Mac App Sandbox seems to clearly be another violation as well,” Wardle added.