In September 2015, Apple managers had a dilemma in hand: should they inform 128 million iPhone users about what is still the worst mass iOS compromise or not? Ultimately, all of the evidence showed that they chose to remain silent.
The mass hack first came to the fore among researchers 40 malicious App Store apps were discovered, a number that Mushroom to 4,000 as more researchers poked around. The apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.
128 million infected.
A Email entered in court This week in Epic Games’ lawsuit against Apple reveals that on the afternoon of September 21, 2015, Apple executives uncovered 2,500 malicious apps that were downloaded 203 million times by 128 million users, of which 18 million were on the US.
“Joz, Tom and Christine – due to the large number of potentially affected customers, do we want to send an email to everyone?” Matthew Fischer, vice president of the App Store, wrote with reference to Greg Joswiak, Apple’s senior vice president of global marketing, and Apple’s PR staff, Tom Neumayr and Christine Monaghan. The email continued:
If so, Dale Bagwell from our Customer Experience team will be on hand to manage this on our side. Note that this poses some challenges regarding the language localization of the email as these apps were downloaded from a variety of App Store storefronts around the world (e.g. we don’t want to send an English language email to a customer who has downloaded one or more of these apps from the Brazil App Store, with Brazilian Portuguese being the more appropriate language).
The dog ate our disclosure
Approximately 10 hours later, Bagwell discusses the logistics of notifying all 128 million affected users, locating notifications in each user’s language, and “precisely including.”[ing] the names of the apps for each customer. “
Unfortunately, Apple never seems to have implemented its plans. An Apple representative couldn’t find any evidence that such an email was ever sent. Statements the agent sent in the background – which means I can’t quote them – indicated that Apple was just publishing instead This now deleted post.
The post has very general information about the Malicious Apps Campaign and finally only lists the 25 most downloaded apps. “If users have any of these apps, they should update the affected app to fix the problem on the user’s device,” the post said. “When the app is available on [the] App Store, it has been updated. If it’s not available, it should be updated very soon. “
Ghost of Xcode
The infections were the result of legitimate developers writing apps with a fake copy of Xcode, Apple’s iOS and OS X app development tool. The repackaged tool called XcodeGhost secretly inserted malicious code alongside normal app functions.
From there, apps prompted iPhones to report to a command and control server and provide a variety of device information, including the name of the infected app, the app bundle ID, network information, the device’s “identifierForVendor” details and the device name , Type and unique identifier.
XcodeGhost has proven to be faster to download in China than Xcode, which is available from Apple. In order for developers to run the fake version, they had to click through a warning from Gatekeeper, the macOS security feature that requires apps to be digitally signed by a well-known developer.
The lack of follow-up is disappointing. Apple has long made the security of the devices it sells a priority. It has also made privacy a core part of its products. It would have been right to notify those affected directly. We already knew that Google routinely doesn’t notify users when they download malicious Android apps or Chrome extensions. Now we know Apple did the same.
Dr. Stop Jekyll
The email wasn’t the only one showing Apple Brass fixed security issues. A separate sent a copy of the forwarded to Apple Fellow Phil Schiller and others in 2013 Ars article Heading “Seemingly benign” Jekyll “app passes Apple’s rating and then becomes” evil “.”
The article discussed research by computer scientists who found a way to sneak malicious programs into the app store without being detected by the mandatory screening process that is designed to automatically flag such apps. Schiller and the other people who received the email wanted to find out how they would protect themselves in the face of their discovery that the static analyzer Apple used was not effective against the newly discovered method.
“This static analyzer examines API names rather than actual APIs that are called, so there is a common problem with false positives,” wrote Eddy Cue, Apple’s senior vice president of Internet software and services. “The Static Analyzer gives us direct access to private APIs, but apps that use indirect methods to access those private APIs are completely absent. This is what the authors used in their Jekyll apps. “
The email discussed the limitations of two other Apple defenses, one called a privacy proxy and the other called a backdoor switch.
“We need help convincing other teams to implement this functionality for us,” wrote Cue. “Until then, it’s more brutal and a little ineffective.”
Lawsuits involving large corporations often offer unprecedented portals for the inner workings of their work and that of their executives. As here, these views are often at odds with what companies are talking about. The process will continue next week.