In September 2015, Apple managers had a dilemma on their hands: Should or should they not notify 128 million iPhone users of what remains the worst mass iOS compromise on record? Ultimately, all evidence shows, they chose to keep quiet.
The mass hack first came to light when researchers uncovered 40 malicious App Store apps, a number that mushroomed to 4,000 as more researchers poked around. The apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.
An email entered into court last week in Epic Games’ lawsuit against Apple shows that, on the afternoon of September 21, 2015, Apple managers had uncovered 2,500 malicious apps that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the US.
“Joz, Tom and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, referring to Apple senior vice president of worldwide marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan. The email continued:
If yes, Dale Bagwell from our Customer Experience team will be on point to manage this on our side. Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language).
About 10 hours later, Bagwell discusses the logistics of notifying all 128 million affected users, localizing notifications to each users’ language, and “accurately includ[ing] the names of the apps for each customer.”
Alas, all appearances are that Apple never followed through on its plans. An Apple representative could point to no evidence that such an email was ever sent. Statements the representative sent on background—meaning I’m not permitted to quote them—noted that Apple instead published only this now-deleted post.
The post provides very general information about the malicious app campaign and eventually lists only the top 25 most downloaded apps. “If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” the post stated. “If the app is available on [the] App Store, it has been updated, if it isn’t available it should be updated very soon.”
The infections were the result of legitimate developers writing apps using a counterfeit copy of Xcode, Apple’s iOS and OS X app development tool. The repackaged tool, dubbed XcodeGhost, surreptitiously inserted malicious code alongside normal app functions.
From there, apps caused iPhones to report to a command-and-control server and provide a variety of device information, including the name of the infected app, the app-bundle identifier, network information, the device’s “identifierForVendor” details, and the device name, type, and unique identifier.
XcodeGhost billed itself as faster to download in China, compared with Xcode available from Apple. For developers to have run the counterfeit version, they would have had to click through a warning delivered by Gatekeeper, the macOS security feature that requires apps to be digitally signed by a known developer.
The lack of follow-through is disappointing. Apple has long prioritized the security of the devices it sells. It has also made privacy a centerpiece of its products. Directly notifying those affected by this lapse would have been the right thing to do. We already knew that Google routinely doesn’t notify users when they download malicious Android apps or Chrome extensions. Now we know that Apple has done the same thing.
The email wasn’t the only one that showed Apple brass hashing out security problems. A separate one sent to Apple fellow Phil Schiller and others in 2013 forwarded a copy of the Ars article headlined “Seemingly Benign ‘Jekyll’ App Passes Apple Review, Then Becomes ‘Evil.’”