Apple brass discussed alerting users of a 128-million iPhone hack, then seemingly decided not to

[Tensimeter]

Summary

In more news learned from Apple and Epic’s court case, it appears Apple did not fully disclose what happened with the Xcodeghost hack from 2015. Xcodeghost was an alternative Xcode mirror in China which offered faster downloads of the mandatory tool for iOS development. Xcodeghost was actually malware, and over 4000 iOS apps were published using the malware.
 

A newly revealed internal email show that 128 million iOS users had apps installed that were built by Xcodeghost. In the email, an Apple employee mentions work is ongoing to resolve some issues with an internal mass user alerting tool. This would have allowed Apple to individually notify affected users. However, Apple ultimately appears to have not sent out such 128 million alerts, as currently no conclusive evidence has been provided that Apple did so. However, Apple did publish a general announcement which is now deleted. Many news outlets at the time also reported on Xcodeghost.

 

Quotes

The internal email in question:

 

Quote

Alas, all appearances are that Apple never followed through on its plans [to notify users of the incident]. An Apple representative could point to no evidence that such an email was ever sent. Statements the representative sent on background—meaning I’m not permitted to quote them—noted that Apple instead published only this now-deleted post.

 

The post provides very general information about the malicious app campaign and eventually lists only the top 25 most downloaded apps. “If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” the post stated. “If the app is available on [the] App Store, it has been updated, if it isn’t available it should be updated very soon.”

 

My thoughts

Apple was clearly uncomfortable sharing the full and ugly truth of what happened. It seems Apple couldn’t send a simple email notification notifying affected users, why should anyone trust them on their claims of security? What proof do we have that Apple hasn’t properly disclosed other security breaches in the past? Why should they be trusted to properly report security breaches in the future? I believe we certainly don’t have a good reason to trust them now.

 

Sources

Recent article discussing the new email:

https://arstechnica.com/gadgets/2021/05/apple-brass-discussed-disclosing-128-million-iphone-hack-then-decided-not-to/

Reporting from 2015 on Xcodeghost:

https://arstechnica.com/information-technology/2015/09/apple-scrambles-after-40-malicious-xcodeghost-apps-haunt-app-store/

A report on Xcodeghost from 2015:

https://www.fireeye.com/blog/executive-perspective/2015/09/protecting_our_custo.html

An article on Xcodeghost from 2015:

https://www.bbc.com/news/technology-34311203

[divito]

I don't like Apple, but this seems a bit misleading. So they did publish information about it; they just didn't track, identify and target specific users personally who downloaded an affected app. 

 

And the 128 million is kind of a little sensationalist. Without knowing much about that time period, perhaps more information came out that made contacting users unnecessary? The source you used doesn't specify how long the hacked Xcode was used, only that there ended up being ~4000 apps after researchers checked. Once Apple removed all the found apps, developers would have corrected the issue and affected users with auto-update would be fixed. 

Clearly they kept the announcement to a minimum, and that's a bit "shady" from a company that tries to project a different image, but this single email doesn't really give us a full perspective for judgement.

 

[Arika]

18 minutes ago, gabrielcarvfer said:

"Your data is safe. What happens on your phone stays on your phone."

 

Except when you install apps with malware distributed by Apple itself.

dont worry, the appstore is 100% safe. this is why we dont allow 3rd party app stores or sideloading...

[TetraSky]

Apple hates bad publicity and this would've made headlines. That's the same reason why whenever they issue a recall, they always claim that it only affect a "small number of devices", to minimize it as much as possible.

 

The fact they justify their 30% with their added security measures and all that on the appstore, is kind of laughable when you consider that this happened.

[Fasterthannothing]

Wow this is some bombshell security news. I'm glad Epic is shining a light on Apple and showing their white knight protector gig is up. Locking down users to the app store for their "safety" and yet failing to properly notifying users of a massive security breach. What else are they hiding regarding their security? Epic is going to destroy Apple in court.

[Neftex]

5 hours ago, Tensimeter said:

Apple came as far as having a mass notification tool mostly ready to notify all affected users, but ultimately decided to not individually notify those affected.

ok buddy, did you actually read the email? it clearly says the tool had problems and that it would take time to fix+more time to actually send out all the messages

[Tensimeter]

15 hours ago, Neftex said:

ok buddy, did you actually read the email? it clearly says the tool had problems and that it would take time to fix+more time to actually send out all the messages

I said mostly ready, I did not say it was fully ready. Yes the tool has issues, but apple clearly has the capability to do fix them and make it work. It would have taken some time, but those are solvable issues that they talked about in the email.

 

I don’t see how the fact that apple still had issues they needed to sort out changes the main point. Apple clearly could have done it had they wanted to, and they decided not to do it at all. 
 

I can definitely rewrite that part to make it more clear though. How would you suggest I change it? Perhaps something like “In the email, an Apple employee offered to solve some issues with a mass individual notification tool. This would have allowed Apple to individually notify affected users. However, Apple ultimately did not sent such an email, as they never individually notified affected users”.

 

(Edit: I have edited the post with some changes, please see if the new version is accurate).

Edited May 9, 2021 by Tensimeter
Added note that post was improved

[Tensimeter]

20 hours ago, divito said:

I don't like Apple, but this seems a bit misleading. So they did publish information about it; they just didn't track, identify and target specific users personally who downloaded an affected app. 

 

And the 128 million is kind of a little sensationalist. Without knowing much about that time period, perhaps more information came out that made contacting users unnecessary? The source you used doesn't specify how long the hacked Xcode was used, only that there ended up being ~4000 apps after researchers checked. Once Apple removed all the found apps, developers would have corrected the issue and affected users with auto-update would be fixed. 

Clearly they kept the announcement to a minimum, and that's a bit "shady" from a company that tries to project a different image, but this single email doesn't really give us a full perspective for judgement.

 

Would a title like this be more clear about what happened? “Apple brass discussed individually notifying users of a 128-million iPhone hack, then decided not to” 

Even if there was new information that made individually notifying users unnecessary, they still should have done so. It’s the reasonable security thing to do, and as you said they kept their announcement to a minimum.

 

Hopefully we will get more emails and other perspectives about this so we can get a clearer picture of this incident.

 

Edit: I have edited the title, is the new one a better representation of the situation?

Edited May 9, 2021 by Tensimeter
Notes that title was improved

[WolframaticAlpha]

17 hours ago, Tensimeter said:

Summary

In more news learned from Apple and Epic’s court case, it appears Apple did not fully disclose what happened with the Xcodeghost hack from 2015. Xcodeghost was an alternative Xcode mirror in China which offered faster downloads of the mandatory tool for iOS development. Xcodeghost was actually malware, and over 4000 iOS apps were published using the malware. Newly revealed internal emails show that 128 million iOS users had apps installed that were built by Xcodeghost. Furthermore, Apple came as far as having a mass notification tool mostly ready to notify all affected users, but ultimately decided to not individually notify those affected. Apple only published a general announcement which is now deleted.

 

Quotes

The internal email in question:

 

 

My thoughts

Apple was clearly uncomfortable sharing the full and ugly truth of what happened. If Apple couldn’t send a simple email notification notifying affected users, why should anyone trust them on their claims of security? What proof do we have that Apple hasn’t properly disclosed other security breaches in the past? Why should they be trusted to properly report security breaches in the future? The answer is we certainly don’t have a good reason to trust them now.

 

Sources

Recent article discussing the new email

https://arstechnica.com/gadgets/2021/05/apple-brass-discussed-disclosing-128-million-iphone-hack-then-decided-not-to/

Reporting from 2015 on Xcodeghost

https://arstechnica.com/information-technology/2015/09/apple-scrambles-after-40-malicious-xcodeghost-apps-haunt-app-store/

A report on Xcodeghost from 2015 

https://www.fireeye.com/blog/executive-perspective/2015/09/protecting_our_custo.html

sEcUrItY bY oBsCuRiTy Vro!

[GamerDude]

Always knew that Apple was shady, *sighs* , just look at the update that slowed down older iPhones to help keep them cool (I understand why they did it), yet they kept this tasty bit of info to themselves leading owners of older iPhones to conclude their phones were too old for newer iOS, so they upgraded to newer iPhones. Yet peeps support them in droves....

[Guest]

Haha no wonder Epic bought this up lol. 

[Kisai]

1 hour ago, RorzNZ said:

Haha no wonder Epic bought this up lol. 

Play stupid games, win stupid prizes.

 

- Apple makes it unnecessarily difficult to get ahold of XCode

- China makes it unnecessarily difficult to access anything outside of China

 

https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html

Quote

Just over a month ago, iOS users were warned of the threat to their devices by the XcodeGhost malware. Apple quickly reacted, taking down infected apps from the App Store and releasing new security features to stop malicious activities. Through continuous monitoring of our customers’ networks, FireEye researchers have found that, despite the quick response, the threat of XcodeGhost has maintained persistence and been modified.

More specifically, we found that:

• XcodeGhost has entered into U.S. enterprises and is a persistent security risk
• Its botnet is still partially active
• A variant we call XcodeGhost S reveals more advanced samples went undetected

...

 

Incidentally ...

https://theintercept.com/2015/03/10/ispy-cia-campaign-steal-apples-secrets/

Quote

The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.

Who do we blame. Clearly the CIA/Snowden knew this was possible, which means other intelligence agencies also did.

 

It seems like the target was chinese nationals from the start, and people using this version of Xcode were effectively using "pirate" versions of the development environment, so Apple should have immediately pulled all those apps and and the developer accounts of every product built with it. 

 

Yet, because Apple controls the App store, they have the ability to do just that. You can't do that with jailbroken devices, and this is one of the reasons in favor of walled gardens, because the operator of the walled garden can act immediately instead of waiting for their idiot manufacturers to release firmware updates that might never happen because the manufacturers would rather sell new hardware than fix existing ones.

 

[Sauron]

On 5/9/2021 at 3:00 AM, gabrielcarvfer said:

"Your data is safe. What happens on your phone stays on your phone."

 

Except when you install apps with malware distributed by Apple itself.

The malware on your phone stays on your phone because we won't tell you it's malware  

[Fasterthannothing]

3 hours ago, Sauron said:

The malware on your phone stays on your phone because we won't tell you it's malware  

You aren't infected if Apple doesn't tell anyone their phones are infected

[da na]

"What the customer doesn't know can't hurt them"

-Best Buy and now Apple, apparently

[Bombastinator]

On 5/10/2021 at 8:36 AM, wat3rmelon_man2 said:

"What the customer doesn't know can't hurt them"

-Best Buy and now Apple, apparently

 

On 5/10/2021 at 8:36 AM, wat3rmelon_man2 said:

"What the customer doesn't know can't hurt them"

-Best Buy and now Apple, apparently

The “nowl” bit seems to be incorrect.  This is apparently a record of something several years old.  There might possibly be a few iPhone users who have blocked updates for years and still have the stuff on their phones but I doubt very many.  It was an obnoxious if not very unusual move for the time though.  There seems to be a push to conflate old behavior with current behavior.  Not saying it was good behavior of course and if they did it today I would be very angry.  I know I don’t have any such stuff on my phone because I update.

Edited May 13, 2021 by Bombastinator