Apple has recently been outed in court for purposely concealing the hack of 128 million iPhone users back in 2015, the worst mass iOS compromise on record.
In September 2015, researchers reported finding approximately 40 malicious apps within the App Store that contained code that made iPhones and iPads part of a botnet that stole sensitive user information. As more researchers joined the search, the number of apps mushroomed to 4000.
The malicious apps were downloaded a total of 203 million times by 128 million users, with 18 million of these being US customers.
Epic Games’ recent court battle with Apple has revealed that Apple decided against notifying the affected iPhone users about its first ever mass hack in 2015.
Matthew Fischer, App Store VP wrote: “Joz, Tom and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?”, in reference to Apple senior vice president of worldwide marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan. The email continued:
“Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language).”
Although the logistics of notifying users was discussed, Apple never followed through. In court, an Apple representative was unable to produce any evidence to prove that the email was sent.
The infected devices were the result of legitimate developers using a counterfeit copy of Apple’s development tool, Xcode. The repackaged tool, XcodeGhost, inserted malicious code into apps alongside normal app functions.
Considering Apple’s focus on prioritising privacy, and the inclusion of security as a key selling point of its products, their lack of action in the worst mass iOS compromise on record is incredibly disappointing, to say the least.