Apple failed to disclose security incident affecting 128 million users in 2015

An email entered into court this week in Epic Games' lawsuit against Apple shows that Apple managers uncovered 2,500 malicious apps had been downloaded a total of 203 million times by 128 million users in 2015. Evidence shows Apple managers chose to not disclose this security incident.

According to Ars Technica, the apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.

“Joz, Tom and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, referring to Apple Senior Vice President of Worldwide Marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan, reports Ars Technica.

The email continued: "If yes, Dale Bagwell from our Customer Experience team will be on point to manage this on our side. Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language)."

Evidence shows Bagwell discussed the logistics of disclosing the breach, which included notifying all 128 million affected users, localizing notifications to each users' language and accurately including the names of the apps for each customer.

Ars Technica reports, "the infections were the result of legitimate developers writing apps using a counterfeit copy of Xcode, Apple's iOS and OS X app development tool. The repackaged tool dubbed XcodeGhost surreptitiously inserted malicious code alongside normal app functions. From there, apps caused iPhones to report to a command-and-control server and provide a variety of device information, including the name of the infected app, the app-bundle identifier, network information, the device’s “identifierForVendor” details, and the device name, type, and unique identifier. XcodeGhost billed itself as faster to download in China, compared with Xcode available from Apple. For developers to have run the counterfeit version, they would have had to click through a warning delivered by Gatekeeper, the macOS security feature that requires apps to be digitally signed by a known developer."

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, "Attackers are constantly trying to come up with new ways to get around gatekeeping efforts like the App Store review process. Successfully doing so guarantees that their malware has a chance to spread quickly, even if the app is only up for a short amount of time. This incident shows that mobile users are always at risk of being exposed to malware. Since mobile devices are so personal to us and we see them as extensions of ourselves, we trust them to be inherently secure."

"We all know that it’s smart to have a security tool that protects us on our computers, so why treat our smartphones and tablets any differently? Mobile devices have more access to cloud-based apps and infrastructure than most computers do and attackers know that these devices are a treasure trove of valuable data," Schless says. "Using a mobile security solution that can detect known and unknown malware on a smartphone or tablet is key to both personal and enterprise security. Given how connected these devices are, attackers can start by targeting individuals on a personal level, then use the device or stolen credentials as a springboard into corporate infrastructure."

Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security, adds, "Mobile phones are extensions of our brains and our lives in general. They are in our hands, in our pockets and by our bedside for the entire day. For all Apple users, we have let Apple become a part of our families – and have driven Apple profits to levels once unseen. In return, all of us should justifiable expect more from Apple – they need to come clean and be transparent with respect to every action and incident that affects any one of their customers. The key here for Apple is to clearly outline the impact to the end user and not just send out a technical alert and update that is embedded in their release notes. Do doctors or lawyers hide issues that affect you from you?"

Though Apple has made privacy a centerpiece of its products and software, the lack of disclosure is severely disappointing, security executives say, and notifying the affected users would have been the right, and responsible, thing to do.

Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software, explains, "When the US government is concerned about the effects the SolarWinds attack has, it should be even more concerned with this revelation. Both large app stores, Google’s Play Store, as well as Apple’s, are essentially a large malware distribution platform if not managed well. That email, and Apple’s decision not to inform customers and the public, demonstrates what that means. It seems that they feared public outrage and backlash more than standing up and telling customers about the potential risks involved."

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.