Apple has long held itself up as a paragon of mobile security, but the wrap is unpeeling this year. The biggest news is that it never revealed the extent of a hack that infected 128,000,000 (yes, 128 million) iOS devices - iPhones and iPads - back in 2015. In fact, it’s not even clear that they notified all the users. This information only came to light during the Epic Games vs Apple trial, as corporate emails entered the public record during the trial. This has been widely reported, for example, here. What’s even more surprising is that the malware (a) was gotten into apps by a hacked version of XCode, and (b) did not get detected by Apple’s vaunted review process.
XCode is the single IDE that iOS developers are required to use (they’ve forgotten the security rule that "choice is good"). XCode is big, and hackers posted a modified version on a download site offering faster downloads in China, so many developers there were using the infected dev tools.
As for the review process, well, it is what it is. It failed to detect this malware. How did this happen? Unsurprisingly, current technology makes security a cat-and-mouse game between hackers and those who would stop them. Find a new technique to break security and you can become rich, either by criminal methods or by submitting proof to the vendor’s "bug bounty" scheme. In this case, the crackers chose the former route. And the rest is history - they made the biggest hack in iPhone history.