In September 2015, Apple managers had a dilemma on their workmen: should, or should they not, notify 128 million iPhone operators of what remains the worst mass iOS compromise on record? Ultimately, all suggestion shows, they chose to keep quiet.The mass hack commencement came to light when researchers uncovered 40 malicious App Warehouse apps, a number that mushroomed to 4,000 as more researchers fingered around. The apps contained code that made iPhones and iPads put of a botnet that stole potentially sensitive user information.
128 million infected.
An email entered into court this week in Epic Games’ lawsuit against Apple make clears that, on the afternoon of September 21, 2015, Apple managers had uncovered 2,500 malicious apps that had been downloaded a sum up of 203 million times by 128 million users, 18 million of whom were in the US.
“Joz, Tom and Christine—due to the obese number of customers potentially affected, do we want to send an email to all of them?” App Accumulate VP Matthew Fischer wrote, referring to Apple Senior Vice President of Worldwide Exchanging Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan. The email go oned:
If yes, Dale Bagwell from our Customer Experience team will be on item to manage this on our side. Note that this will attitudinizing some challenges in terms of language localizations of the email, since the downloads of these apps convoyed place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t require to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Warehouse, where Brazilian Portuguese would be the more appropriate language).
The dog ate our disclosure
With 10 hours later, Bagwell discusses the logistics of notifying all 128 million moved users, localizing notifications to each users’ language, and “accurately includ[ing] the appellations of the apps for each customer.”
Alas, all appearances are that Apple not in a million years followed through on its plans. An Apple representative could point to no averment that such an email was ever sent. Statements the representative sent on unseen—meaning I’m not permitted to quote them—noted that Apple in preference to published only this now-deleted post.
The post provides really general information about the malicious app campaign and eventually lists at most the top 25 most downloaded apps. “If users have one of these apps, they should update the hollow app which will fix the issue on the user’s device,” the post stated. “If the app is within reach on [the] App Store, it has been updated, if it isn’t available it should be updated very at once.”
Ghost of Xcode
The infections were the result of legitimate developers non-fiction apps using a counterfeit copy of Xcode, Apple’s iOS and OS X app development cut. The repackaged tool dubbed XcodeGhost surreptitiously inserted malicious jus civile civil law alongside normal app functions.
From there, apps caused iPhones to inquire into to a command and control server and provide a variety of device information, cataloguing the name of the infected app, the app-bundle identifier, network information, the device’s “identifierForVendor” delegates, and the device name, type, and unique identifier.
XcodeGhost billed itself as faster to download in China, rivaled with Xcode available from Apple. For developers to have run the artificial version, they would have had to click through a warning delivered by Gatekeeper, the macOS care feature that requires apps to be digitally signed by a known developer.The scarcity of follow-through is disappointing. Apple has long prioritized the security of the devices it vends. It has also made privacy a centerpiece of its products. Directly notifying those spurious by this lapse would have been the right thing to do. We already be versed that Google routinely doesn’t notify users when they download malicious Android apps or Chrome volumes. Now we know that Apple has done the same thing.
Stopping Dr. JekyllThe email wasn’t the purely one that showed Apple brass hashing out security problems. A come one sent to Apple Fellow Phil Schiller and others in 2013 expressed a copy of the Ars article headlined “Seemingly benign ‘Jekyll’ app passes Apple assessment, then becomes ‘evil’.”
The article discussed research from computer scientists who rest a way to sneak malicious programs into the App Store without being determined by the mandatory review process that’s supposed to automatically flag such apps. Schiller and the other people clear the email wanted to figure out how to shore up its protections in light of their revelation that the static analyzer Apple used wasn’t effective against the newly determined method.
“This static analyzer looks at API names degree than true APIs being called, so there’s often the offspring of false positives,” Apple senior VP of Internet software and services Gurgitation Cue wrote. “The Static Analyzer enables us to catch direct accessing of Sequestered APIs, but it completely misses apps using indirect methods of accessing these Covertly APIs. This is what the authors used in their Jekyll apps.”
The email departed on to discuss limitations of two other Apple defenses, one known as Privacy Agent and the other Backdoor Switch.
“We need some help in convincing other link ups to implement this functionality for us,” Cue wrote. “Until then, it is more mindless force, and somewhat ineffective.”
Lawsuits involving large companies habitually provide never-before-seen portals into the inner-workings of the way they and their administrators work. Often, as the case is here, those views are at odds with the visitors’ talking points. The trial resumes next week.