In September 2015, Apple executives had a dilemma on their hands: Should or should they not inform 128 million iPhone users of what remains the worst mass compromise on iOS ever? In the end, all the evidence shows, they chose to keep quiet.
Mass hacking first appeared when researchers discovered 40 malicious apps from the App Store, a number that 4000 mushroom as more and more researchers searched. The apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.
A e-mail seized in court last week at The Epic Games trial against Apple shows that, on the afternoon of September 21, 2015, Apple executives discovered 2,500 malicious applications that had been downloaded a total of 203 million times by 128 million users, including 18 million in the United States.
“Joz, Tom and Christine – due to the large number of potentially affected customers, do we want to email them all?” Matthew Fischer, vice president of the App Store, wrote, referring to Apple’s senior vice president of global marketing, Greg Joswiak, and Apple’s public relations executives, Tom Neumayr and Christine Monaghan. The email continued:
If so, Dale Bagwell from our Customer Experience team will be close to handling this on our end. Note that this will pose challenges in terms of the linguistic localization of the email, as downloads of these apps have taken place in a wide variety of App Store storefronts across the world (for example, we wouldn’t want to send an email in English to a customer who has downloaded one or more of these apps from the Brazilian App Store, where Brazilian Portuguese would be the most appropriate language).
About 10 hours later, Bagwell discusses the logistics of notifying all 128 million affected users, locating notifications in each user’s language, and “accurately include[ing] the names of the applications for each client. “
Alas, all appearances are that Apple never followed through on its plans. An Apple representative could not provide any evidence that such an email was ever sent. Statements the rep sent in the background – meaning I’m not allowed to quote them – indicated that Apple had instead released only this message now deleted.
The post provides very general information about the malware campaign and ultimately only lists the 25 most downloaded apps. “If users have any of these apps, they need to update the affected app, which will fix the issue on the user’s device,” the message read. “If the application is available on [the] App Store it has been updated, if it is not available it should be updated very soon. “
The infections were the result of legitimate developers writing apps using a counterfeit copy of Xcode, Apple’s iOS and OS X application development tool. The repackaged tool, dubbed XcodeGhost, surreptitiously inserted malicious code alongside the app’s normal functions.
From there, the apps caused the iPhones to report to a command and control server and provide various information about the device, including the name of the infected app, the app set ID. , network information, device identifierForVendor details and device name, type and unique identifier.
XcodeGhost has shown itself to be faster to download in China, compared to Xcode available from Apple. In order for the developers to run the fake version, they would have had to click on a warning provided by Gatekeeper, the macOS security feature that requires apps to be digitally signed by a known developer.
The lack of follow-up is disappointing. Apple has long prioritized the security of the devices it sells. He also made privacy a centerpiece of its products. Directly informing those affected by this interruption would have been the right thing to do. We already knew that Google usually doesn’t notify users when they download malicious Android apps or Chrome Extensions. Now we know Apple has done the same.
The email wasn’t the only one showing Apple brass to fix security issues. A separate one sent to fellow Apple Phil Schiller and others in 2013 forwarded a copy of the Ars article titled “Seemingly Benign ‘Jekyll’ App Reviews Apple, Then Goes ‘Evil’.”