Apple Brass discussed disclosing 128 million iPhone hacks and then decided against it
In September 2015, Apple managers had a dilemma in their hands: should they inform 128 million iPhone users about what is still the worst mass iOS compromise or not? Ultimately, all of the evidence showed that they chose to remain silent.
The mass hack first came to light when researchers discovered 40 malicious App Store apps, a number that rose to 4,000 as more researchers poked around. The apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.
128 million infected.
An email brought to trial this week in Epic Games’ lawsuit against Apple shows that on the afternoon of September 21, 2015, Apple executives uncovered 2,500 malicious apps downloaded 203 million times by 128 million users were, 18 million of which were in the US.
“Joz, Tom and Christine – due to the large number of potentially affected customers, do we want to send an email to everyone?” Matthew Fischer, VP of the App Store, wrote referring to Greg Joswiak, Apple’s senior vice president of global marketing, and Apple’s PR staff, Tom Neumayr and Christine Monaghan. The email continued:
If so, Dale Bagwell from our Customer Experience team will be on hand to manage this on our side. Note that this poses some challenges regarding the language localization of the email as these apps were downloaded from a variety of App Store storefronts around the world (e.g. we don’t want to send an English language email to a customer who has downloaded one or more of these apps from the Brazil App Store, with Brazilian Portuguese being the more appropriate language).
The dog ate our disclosure
About 10 hours later, Bagwell discusses the logistics of notifying all 128 million affected users, locating notifications in each user’s language, and “precisely including.”[ing] the names of the apps for each customer. “
Unfortunately, Apple never seems to have implemented its plans. An Apple representative could not point to any evidence that such an email was ever sent. In statements that the representative sent in the background – which means that I am not allowed to quote them – it was indicated that Apple only published this post, which has now been deleted, instead.
The post has very general information on the Malicious Apps Campaign and finally only lists the 25 most downloaded apps. “If users have any of these apps, they should update the affected app to fix the problem on the user’s device,” the post said. “When the app is available on [the] App Store has been updated. If it’s not available, it should be updated very soon. “
Ghost of Xcode
The infections were the result of legitimate developers writing apps using a fake copy of Xcode, Apple’s iOS and OS X app development tool. The repackaged tool called XcodeGhost secretly inserted malicious code alongside normal app functions.
From there, apps prompted iPhones to report to a command and control server and provide a variety of device information, including the name of the infected app, the app bundle ID, network information, the device’s “identifierForVendor” details and the device name , Type and unique identifier.
XcodeGhost has proven to be faster to download in China than Xcode, which is available from Apple. In order for developers to run the fake version, they had to click through a warning from Gatekeeper, the macOS security feature that requires apps to be digitally signed by a well-known developer.
The lack of follow-up is disappointing. Apple has long made the security of the devices it sells a priority. It has also made privacy a core part of its products. It would have been right to notify those affected directly. We already knew that Google routinely doesn’t notify users when they download malicious Android apps or Chrome extensions. Now we know Apple did the same.
Dr. Stop Jekyll
The email wasn’t the only one showing Apple Brass fixed security issues. A separate article sent in 2013 to Apple Fellow Phil Schiller and others forwarded a copy of the Ars article entitled “Seemingly benign Jekyll app passes Apple review and then turns nasty.”
The article discussed research by computer scientists who found a way to sneak malicious programs into the app store without being detected by the mandatory verification process that is supposed to automatically flag such apps. Schiller and the other people who received the email wanted to find out how to step up their protection in the face of their discovery that the static analyzer used by Apple was ineffective against the newly discovered method.
“This static analyzer examines API names rather than actual APIs being called, so there is a common problem with false positives,” wrote Eddy Cue, Apple’s senior vice president of Internet software and services. “The Static Analyzer gives us direct access to private APIs, but apps that use indirect methods to access those private APIs are completely absent. This is what the authors used in their Jekyll apps. “
The email discussed the limitations of two other Apple defenses, one called a privacy proxy and the other called a backdoor switch.
“We need help convincing other teams to implement this functionality for us,” wrote Cue. “Until then, it’s more brutal and a little ineffective.”
Lawsuits involving large corporations often offer unprecedented portals for the inner workings of their work and that of their executives. As here, these views are often at odds with what companies are talking about. The process will continue next week.