Apple CEO Questioned on 'Significant Lapse' for Inaction on Malicious Chinese App
WASHINGTON -- Sen. Marco Rubio (R-Fla.) charged that Apple showed a "blatant disregard" for security in its response to China using a popular app to harvest and store data of American users.
Adware Doctor, which purported to scan Macs for malware and clear suspicious files, was the top paid utility app in Apple's store. It was bulked up with five-star reviews that were likely fake.
Patrick Wardle, chief research officer at Digita Security and founder of Mac security company Objective-See, said Apple was notified in early August that the app was copying users' browser data and sending it to a domain based in China. However, it took Apple a month to pull it from the Mac App Store.
In a letter today to Apple CEO Tim Cook, Rubio noted that the company only took action after tech sites publicly reported on the malicious app.
"For a company that prides itself on prioritizing user privacy and security, this delayed response is extremely disconcerting," he wrote. "It is also troubling that Apple researchers failed to uncover Adware Doctor’s covert collection and 'storage' process."
Rubio said he has "serious concerns about China’s malevolent economic behavior involving the theft of U.S. intellectual property, which costs the United States hundreds of billions of dollars annually" but "the threat of American user data being kept on a server in China is equally alarming."
"While I am aware of Apple’s efforts to protect against these intrusions by keeping apps compartmentalized from each other in 'sandboxes,' it is evident that Adware Doctor managed to circumvent your implemented guidelines and protections."
The senator added that the "significant lapse" in not initially acting on security researchers' findings to the company "exposes a range of problems, not least of which are internal coordination issues and possibly a blatant disregard for significant user security concerns that were brought to your attention."
Rubio asked Cook to answer a series of questions on why Apple didn't act on the security issue for month and what safeguards the company will use in the future. "What steps will Apple take to ensure that applications using Apple’s Mac App Store have appropriate security protocols in place to prevent foreign actors from gaining access to user data?" he asked. "When users access the Mac App Store, they do so under the belief and reasonable expectation that the application options presented to them have been thoroughly vetted and approved by Apple. This incident with Adware Doctor has brought this trust into question."