Epic discovery: A massive iPhone hack that Apple swept under the rug

“A rare, behind-the-scenes, and often unflattering peek at how Apple wields power.” — Slate

From Aaron Mak’s “The Most Embarrassing Revelations in Apple’s Antitrust Trial” posted Monday on Slate.com:

The Biggest Known iPhone Hack. As part of discovery, Apple released emails that surfaced worrying details about the largest known iPhone hack to date. In September 2015, researchers notified managers at the company that 2,500 apps containing malicious code had been downloaded 203 million times by 128 million iPhone users. (Further investigation would later reveal that 4,000 apps had been affected.) Of the victims, 18 million were in the U.S. and more than half were in China. Hackers were able to create a counterfeit version of Apple’s Xcode app development tool that deployed the malicious code and prompted iPhones to divulge information like device identifiers and network info. In the emails, Apple’s managers discuss steps for notifying all the affected users via email, which is best practice for data breaches and often mandated by state law. However, it doesn’t seem that Apple ever ended up sending that email. Instead, it published a blog post that vaguely outlined how the hack worked and only disclosed the 25 most popular apps that had the malicious code. The post has since been taken down, and it wasn’t until this year that the public learned just how many iPhone users the hack had managed to reach.

My take: Pretty damning, if true.

7 Comments

  1. Bart Yee said:
    What we didn’t see and maybe Apple did not elaborate on was how Apple addressed this with the App developers, how the malicious Apps were dealt with (did app updates or subsequent iOS updates clear the malicious code or enhance security) or did Apple remove the apps until updated and certified clean app updates were uploaded for App Store Distribution.

    As usual, media focus is on not the malicious code discovery but the potential “cover-up”, but IMO, we don’t have Apple’s side of exactly how they did address it. IMO, Apple may not really want to divulge how they addressed this breach and with whom, keeping App Developer and user privacy and security intact.

    This does assume that Apple DID address this now 6 year old breach. All the more reason for Apple’s close scrutiny and curation of the App Store, and precisely the reasons for its costs of vigilance, maintenance and upkeep to Apple.

    9
    May 24, 2021
  2. Gregg Thurman said:
    The trial is over. Epic didn’t make a stink about the breach, ergo it’s a non-issue.

    0
    May 24, 2021
  3. Fred Stein said:
    Epic’s team must have paid for tens of thousands of hours of expensive professionals, plus AI / keyword searches to dig up embarrassing emails and incidents, not to make a legal case but to feed unscrupulous click-baiters.

    2
    May 24, 2021
  4. Daniel Epstein said:
    A perfect example of how the security issue cuts both ways. Apple looks bad for not catching the breach sooner and maybe not informing the victims in a proper manner. On the other hand it shows the idea of opening up the walled Garden to more uncontrolled situations exposes all users to more security issues. Even if Apple isn’t perfect against all security issues as they arise they do have a responsibility for patching and solving them afterwards. If third party stores and payments were allowed it immediately changes that equation. Probably why Epic didn’t want to use it in the case.

    1
    May 24, 2021
  5. Bart Yee said:
    If a third party App Store was allowed into being, and if said App Store introduced malicious code or malware into Apps downloaded into Apple iPhones, who would the user turn to to get the malware addressed or deal with any consequences (identity theft, data or financial breaches, spam, tracking, etc.)?

    IMO, the user would turn first to Apple and plead with them that it’s Apple’s security problem and the iOS software should have protected them.

    OTOH, Apple would look bad if it stated “we have no control over third party App Stores, their curation, security, policies, or Apps. Any resulting damage or injury from downloading malicious code filled apps will be between user and said App Store, including any resulting personal data loss, breach or hardware damage. Apple may assist in terms of cleansing or resetting hardware to factory fresh under warranty or Apple Care+ If possible but cannot be responsible for any personal software, data, or financial considerations. If the iPhone is permanently bricked by malicious code, the user will have no other option than to purchase a new device.”

    In other words, use a third party App Store outside of Apple and you’re risking your investment in your iPhone and all of your data and privacy.

    1
    May 25, 2021
    • Bart Yee said:
      The other considerations would be 1) would users sue Apple if outside App Stores bad apps damaged their iPhones or breached security or would they eventually sue the third party App Store?

      2) Would the outside App Store then pass the buck to the developer?

      3) Would Apple itself consider litigation against the 3rd party App Store as not meeting Apple standards and damaging Apple’s reputation?

      IMHO, gamers are likely techie young men who revel in taking chances and risks, emboldened by the testosterone and adrenaline rush of FPS gaming, spending money, and feeling technically superior. But once they suffer significant effects of a malware attack brought on by their own actions (shades of Epic) and outside App Stores’ lax or non-existent vetting ability, who will they come running to?

      Third party app stores want to exist SPECIFICALLY to make more money. App curation and security explicitly would cut into their profits so IMO would get short shrift in a non-platform owning company like Epic. As for Epic’s “principles and policies for its users”, spare me, there aren’t any except to profit off of them as much as possible.

      IMO, Apple holds its principles and user policies as first and foremost, knowing that adherence and effective execution of security, privacy, and User protection will engender good business opportunities and eventual profitability.

      1
      May 25, 2021

Leave a Reply