From Buzzfeed News:
Apple has removed a top Mac app called Adware Doctor, designed to “prevent malware and malicious files from infecting your Mac,” which, according to security researchers Patrick Wardle and Privacy 1st, was collecting users’ browsing history without their consent, violating Apple’s policies.
Wardle, who shared his findings with TechCrunch, found that Adware Doctor requested access to users’ home directory and files — not unusual for an anti-malware or adware app that scans computers for malicious code — and used that access to collect Chrome, Safari, and Firefox browsing history, and recent App Store searches. The data is then zipped in a file called “history.zip” and sent to a server based in China via “adscan.yelabapp.com.” Two independent security researchers confirmed to Motherboard that Wardle’s report was accurate.
Mac apps are protected by “sandboxing,” meaning apps can’t access parts of the computer’s file system the user hasn’t granted permissions to. In this case, sandboxing protections were not bypassed. The user granted access to the home directory and its files, and the app did not explicitly gain consent for what it was doing with that access.
The next release of macOS, macOS Mojave, will protect content like Safari History or cookies from apps, even those to which users have granted access to their home directory.
Adware Doctor, which costs $5, was the top paid app in the “Utilities” category, and the fifth top paid app overall, before it was removed Friday. The app appears to violate the App Store’s “Data Collection and Storage” guidelines, which prohibit developers from “surreptitiously discovering private data” or collecting data without consent. It is unclear whether customers who purchased the app will receive a refund.
Read the full article.