Apple brass discussed disclosing 128-million iPhone hack, then decided not to - Ars Technica

In September 2015, Apple managers had a dilemma on their hands: should, or should they not, notify 128 million iPhone users of what remains the worst mass iOS compromise on record.

An email entered into court this week in Epic Games’ lawsuit against Apple shows that, on the afternoon of September 21, 2015, Apple managers had uncovered 2,500 malicious apps that had been downloaded a total of 203 million times by 128 million users, 18 million of whom were in the US.

“Joz, Tom and Christine—due to the large number of customers potentially affected, do we want to send an email to all of them?” App Store VP Matthew Fischer wrote, referring to Apple Senior Vice President of Worldwide Marketing Greg Joswiak and Apple PR people Tom Neumayr and Christine Monaghan.

Note that this will pose some challenges in terms of language localizations of the email, since the downloads of these apps took place in a wide variety of App Store storefronts around the world (e.g. we wouldn’t want to send an English-language email to a customer who downloaded one or more of these apps from the Brazil App Store, where Brazilian Portuguese would be the more appropriate language).

About 10 hours later, Bagwell discusses the logistics of notifying all 128 million affected users, localizing notifications to each users’ language, and “accurately includ[ing] the names of the apps for each customer.”.

The post provides very general information about the malicious app campaign and eventually lists only the top 25 most downloaded apps.

“If users have one of these apps, they should update the affected app which will fix the issue on the user’s device,” the post stated.

“If the app is available on [the] App Store, it has been updated, if it isn’t available it should be updated very soon.”.

The article discussed research from computer scientists who found a way to sneak malicious programs into the App Store without being detected by the mandatory review process that’s supposed to automatically flag such apps.