In September 2015, Apple executives faced a dilemma: should they notify 128 million iPhone users or not about what remains the worst massive iOS compromise ever? In the end, as evidenced by all the evidence, they chose to remain silent.
The massive hack first came to light when researchers discovered 40 malicious App Store apps, a number that has risen to 4,000 as more researchers snoop around. The apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.
128 million infected
An email sent to court this week in Epic Games’ lawsuit against Apple reveals that on the afternoon of September 21, 2015, Apple executives discovered 2,500 malicious apps downloaded a total of 203 million times by 128 million users. , 18 million of whom were in the US.
“Joz, Tom and Christine – due to the sheer number of potentially affected customers, do we want to email all of them?” App Store VP Matthew Fischer wrote, referring to Apple Senior Vice President Worldwide Marketing Greg Joswiak and Apple PR folks Tom Neumayr and Christine Monaghan. The email continued:
If so, Dale Bagwell from our Customer Experience team is on hand to take care of this on our side. Keep in mind that this poses some challenges in terms of language localization of the email, as the downloads of these apps took place in a wide variety of App Store stores around the world (for example, we wouldn’t use English-language email). to a customer who has downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the most appropriate language).
The dog ate our reveal
About 10 hours later, Bagwell discusses the logistics of informing all 128 million affected users, localizing notifications to each user’s language, and “accurately recording[ing] the names of the apps for each customer.”
Unfortunately, it seems that Apple never carried out its plans. An Apple representative could provide no evidence that such an email was ever sent. Statements the rep sent in the background — meaning I’m not allowed to quote them — noted that Apple instead only published this now-deleted message.
The post provides very general information about the malicious app campaign and in the end only lists the top 25 most downloaded apps. “If users have any of these apps, they should update that app to resolve the issue on the user’s device,” the post reads. “If the app is available on [the] App Store, it’s updated, if it’s not available, it should be updated very soon.
Ghost of Xcode
The infections were the result of legitimate developers writing apps using a counterfeit copy of Xcode, Apple’s iOS and OS X app development tool. The repackaged tool called XcodeGhost has covertly inserted malicious code in addition to normal app functions.
From there, apps would cause iPhones to report to a command-and-control server and provide a variety of device information, including the name of the infected app, the app bundle ID, network information, the device’s “identifierForVendor” data. and the device name, type, and unique identifier.
XcodeGhost billed itself as faster to download in China, compared to Xcode available from Apple. In order for developers to use the counterfeit version, they would have had to click through a warning provided by Gatekeeper, the macOS security feature that requires apps to be digitally signed by a well-known developer.
The lack of follow-up is disappointing. Apple has long prioritized the security of the devices it sells. It has also made privacy an important part of its products. Notifying those affected directly about this error would have been the right choice. We already knew that Google routinely doesn’t notify users when they download malicious Android apps or Chrome extensions. Now we know that Apple has done the same.
dr. stop jekyll
The email wasn’t the only one showing Apple Brass fixes security vulnerabilities. A separate copy sent to Apple Fellow Phil Schiller and others in 2013 forwarded a copy of the Ars article with the headline “Seemingly Benign ‘Jekyll’ App Passes Apple Rating, Then Goes ‘Bad’.”
The article discussed research by computer scientists who found a way to sneak malicious programs into the App Store without being detected by the mandatory review process that should automatically flag such apps. Schiller and the other people who received the email wanted to figure out how to strengthen security in light of their discovery that the static analyzer Apple was using was ineffective against the newly discovered method.
“This static analyzer looks at API names rather than actual APIs being called, so there is often the problem of false positives,” wrote Eddy Cue, Apple’s senior vice president of Internet software and services. “The Static Analyzer allows us to detect direct access to Private APIs, but it completely lacks apps that use indirect methods to access these Private APIs. This is what the authors used in their Jekyll apps.”
The email went on to discuss the limitations of two other Apple defense systems, one known as Privacy Proxy and the other Backdoor Switch.
“We need some help convincing other teams to implement this functionality for us,” Cue wrote. “Until then, it’s more brute force and somewhat ineffective.”
Lawsuits involving large companies often provide never-before-seen portals to the inner workings of the way they and their executives work. Often, as is the case here, those views are at odds with the companies’ talking points. The trial will resume next week.