In September 2015, Apple managers had a problem on their hands: should, or should they not remind 128 million iPhone users of what is the worst iOS vulnerability on record? In the end, all the evidence shows, they chose to remain silent.
The hack first came to light when researchers discovered 40 malicious App Store apps, a number of Capital up to 4,000 as more researchers poked around. The apps contain code that makes iPhones and iPads part of a botnet that steals sensitive user information.
128 million diseases
An email entered into the court This week the Epic Games lawsuit against Apple revealed that, on the afternoon of September 21, 2015, Apple managers had discovered 2,500 malicious applications that had been downloaded a total of 203 million times by users 128 million, 18 million of whom are in the US.
“Joz, Tom and Christine—because of the large number of customers involved, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, referring to Apple Vice President of Worldwide Marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan. The email continued:
If yes, Dale Bagwell from our Customer Experience Team will be on hand to manage this on our behalf. Note that this will pose some challenges in terms of email localization, since the downloads of these applications take place in many App Store fronts around the world (for example we would not like to email sent in English to a customer who downloads one or more of these apps from the Brazilian App Store, where Brazilian Portuguese will be the most appropriate language).
The dog is our show
About 10 hours later, Bagwell discussed the logistics of notifying all 128 million affected users, translating notifications to each user’s language, and “adding (with) the names of the apps for each customer.”
Alas, all indications are that Apple did not follow through on his plans. An Apple representative could point to no evidence that such an email had ever been sent. The details of the agent sent to the background – meaning that I am not allowed to say them – note that Apple instead only published The post has now been deleted.
The post provides general information about the malicious application campaign and finally lists the top 25 most downloaded applications. “If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” the post said. “If the application is on the (home) store, it has been updated, if not it should be updated soon.”
The spirit of Xcode
The infections are the result of legitimate developers building applications using fake versions Xcode, Apple’s iOS and OS X app development tool. A repurposed tool called XcodeGhost secretly injects malicious code alongside normal app functions.
From there, the apps let iPhones report to a command-and-control server and provide a variety of device information, including the name of the infected app, app identifier, network information, the device’s “identifierForVendor” details, and device name. , type, and unique identifier.
XcodeGhost rates itself as faster to download in China, compared to Xcode available from Apple. For developers to have run the fake version, they would have had to click through a warning delivered by Gateway, a macOS security feature that requires apps to be digitally signed by a known developer.
The lack of follow-through is disappointing. Apple has long prioritized the security of the devices it sells. It has also made privacy central to its products. Directly informing those of this retreat would be the right thing to do. We already know that Google often doesn’t warn users when they download malicious Android apps or Chrome extensions. Now we know that Apple has done the same thing.
Stop Dr. Jekyll
The email is not the only one that shows Apple jar hashing security problems. A separate one sent to Apple colleague Phil Schiller and others in 2013 led a copy of the Ars article titled “It seems like a bad ‘Jekyll’ app passed Apple’s review, and became ‘bad.'”
The article discusses research from computer scientists who found a way to sneak malicious programs into the App Store without going through the mandatory review process that should automatically flag such apps. Schiller and other people who receive email want to figure out how to protect their security in light of their discovery that static analysis The used apple is not effective against the newly discovered method.
“This static analyzer looks at API names rather than actual APIs being called, so there is often an issue of false positives,” Apple Senior VP of Internet Software and Services Eddy Cue wrote. “Static Analysis allows us to directly access Private APIs, but completely misses applications using indirect methods of accessing these Private APIs. This is what the authors use in their Jekyll applications. “
The email goes on to discuss the limitations of two other Apple safeguards, one known as Privacy Agent and the other Backdoor Switch.
“We need some help convincing other parties to do this work for us,” Cue wrote. “Until then, it’s just more wasted energy, and it’s useless.”
Lawsuits involving large corporations often provide unprecedented access to the inner workings of how they and their executives operate. Often, as is the case here, those views are at odds with the companies’ talking points. The exam resumes next week.