Apple has now been caught keeping a major hack a secret. In the Apple Epic Trial, email threads released to the public exposed a significant fault on Apple’s security response. As reported by Ars Technica, Epic Games presented a trail of emails in court that showed Apple higher-ups did not inform 128 million iPhone owners about the largest ever successful iOS mass hack.
Apple and Epic Fortnite court war has brought both companies into a position to openly share each one’s dirty works in public. The exposure of 128 million iOS devices data is one of the results exposed by Epic Games to the court.
Epic Games disclosed an email in the court made on September 21, 2015, where Apple managers discussed 2500 malicious apps present in the Apple store that 128 million users downloaded over 203 million times.
Apple Higher-ups Discussion Exposed
In the email provided by Epic Games, App Store VP Mathew Fischer asked Apple Senior VP of Worldwide Marketing Greg Joswiak and Apple PR people Christine Monaghan and Tom Neumayr (on September 21, 2015) that should they email the victim users about the malicious apps. He further added that if they favor sending emails, make sure about managing it perfectly. The discussion continued about the ways to notify the victim users. But the fact is Apple never notified the 128 million victims about the hack till today. No Apple representative can provide evidence that they ever sent the email to the victims.
How this Malicious Attack took Place
Cybersecurity researchers in 2015 found 40 malicious “XCodeGhost” apps. It was also the year of the iPhone 6S launch. Later, it was uncovered that there were more than 4,000 compromised apps in the App Store. It was discovered that the XCodeGhost apps had code that turned iOS devices into part of a botnet that stole data from users.
Developers behind those apps used a counterfeit version of Apple’s app development tool named XCode to create the apps. This counterfeit version termed as XCodeGhost secretly injects malicious code along with the other normal app functionalities. Afterward, the apps let iPhones report to the command-and-control server and delivery a wide set of sensitive device data, such as infected app name, network information, the app-bundle identifier, device name, unique identifier, type, etc.
Compared to Apple’s Xcode, XcodeGhost claimed to be faster to download in China. To execute the counterfeit version of the app, the developers also had to click by the warning issued by Gatekeeper (a security feature of macOS that makes it mandatory for developers to digitally sign apps). In short, developers exploit XCode, bypassed security, and extracted sensitive data.
The Itchy Silence Strategy of Apple
Apple has traditionally marketed itself as a premium firm that values the security of its products and millions of users. It has also made privacy a priority in its offerings. The decision to notify the affected people directly would have been the proper course of action. But unfortunately, it didn’t happen. Tech users already know that Google often doesn’t inform its users if they downloaded malicious Chrome extensions or Android apps, but now Apple is also on the same track.
The 2015 email was not the only security breach case of Apple. Back in 2013, Apple fellow Phil Schiller and others received an email quoting the article of Ars Technica. The article narrates the research from computer scientists that discovered a means to sneak malicious apps into Apple’s app store without being noticed by the security review procedure, which automatically identifies such apps. The email was meant to ask for suggestions on addressing the security loopholes mentioned in the article. This further showcase the vulnerabilities associated with Apple’s security defense system and how silent the company has remained in such cases.
The court war between Apple and Epic Games highlights some uncomfortable facts we were not expecting to hear. The recent emails evidence of the Apple 128 million iPhones hack, and the silence from the tech giant makes its users more suspicious. The first thought that raises through this whole situation is how often this similar silence is observed in the past. Secondly, how secure should Apple users consider themselves when they are also vulnerable to serious malicious attacks. In short, the fact is that no matter how large an organization is or how effective is its security infrastructure, there are always risks of malicious cyber-attacks.