May 10, 2021

In 2015, Apple uncovered 2,500 malicious apps downloaded 203 million times by 128 million users, including 18 million from the United States. Apple failed to notify the users.

While Dale Bagwell of Apple’s Customer Experience Team discussed the logistics of notifying all 128 million users, including notifying users in their local languages and specifying the names of the apps for each customer hours after discovering the malicious apps, recent revelations revealed that Apple never sent such emails to affected users. The iOS hack in question was made possible by legitimate developers using a fake development tool called Xcode, which was downloaded from an unofficial source because it was faster and easier. XcodeGhost, a newly packaged tool, secretly inserted malicious data alongside normal app features.

Instead of sending an email to affected users notifying them of the malicious apps, Apple released a now-deleted post that includes general information about malicious app campaigns, while listing only the 25 most frequently downloaded apps in the post. “If users have one of these apps, they should update the affected app which will fix the issue on the user’s device. If the app is available on [the] App Store, it has been updated, if it isn’t available it should be updated very soon.”

While Apple has long prioritized the safety of the product it sells and has made privacy a centerpiece of its product, the lack of follow-up by Apple seems very disappointing.

For more information, read the original story in Arstechnica.