John Gruber on Adware Doctor:
What a bizarre story this is. Adware Doctor was a $4.99 app in the Mac App Store from a developer supposedly named Yongming Zhang. The app purported to protect your browser from adware by removing browser extensions, cookies, and caches. It was a surprisingly popular app, ranking first in the Utilities category and fourth overall among paid apps, alongside stalwarts like Logic Pro X and Final Cut Pro X.
Turns out, among other things, Adware Doctor was collecting your web browser history from Chrome, Firefox, and Safari, and uploading them to a server in China. Whatever the intention of this was, it’s a privacy debacle, obviously. This behavior was first discovered by someone who goes by the Twitter handle Privacy 1st, and reported to Apple on August 12. Early today, security researcher Patrick Wardle published a detailed technical analysis of the app. Wired, TechCrunch, and other publications jumped on the story, and by 9 am PT, Apple had pulled the app from the App Store.
Contrary to some reports, Adware Doctor didn’t find some sort of hole in the sandbox that prevents apps downloaded from the Mac App Store from being able to access the entire file system. The app asked permission from the user, which is the only way utilities like this can work. Any user who believed in the stated purpose of Adware Doctor would grant this permission though. (MacOS 10.14 Mojave has additional protections for particularly sensitive files, like your browser history and email database — this shouldn’t work on Mojave even if you grant an app permission to access your home folder.)
Also, make sure you read Patrick Wardle’s post on Objective-See:
You probably trust applications in the Official Mac App Store. And why wouldn’t you?
However, it’s questionable whether these statements actually hold true, as one of the top grossing applications in the Mac App Store surreptitiously exfiltrates highly sensitive user information to a (Chinese?) developer. Though Apple was contacted a month ago, and promised to investigate, the application remains available in Mac App Store even today.