Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Cleaning Up App Store After Its First Major Attack

Posted by timothy on from the they've-breached-the-garden-wall dept.

Reuters reports that Apple is cleaning up hundreds of malicious iOS apps after what is described as the first major attack on its App Store. Hundreds of the stores apps were infected with malware called XcodeGhost, which used as a vector a counterfeit version of iOS IDE Xcode. Things could be a lot worse, though: Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack. Still, he said it was "a pretty big deal" because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said.

8 of 246 comments (clear)

  1. Trusting Trust by jeffb+(2.718) · · Score: 5, Insightful

    Thirty-one years later, it's still worth reflecting on it.

  2. Hard to defend against you say? by Anonymous Coward · · Score: 2, Insightful

    Then what, pray tell, is the point of Apple's byzantine approvals process?

    1. Re:Hard to defend against you say? by phayes · · Score: 4, Insightful

      That's easy enough for everyone to figure out: It gives iOS users a more secure environment than the farce that is android today without imposing more than a tiny hardship on the vast majority of it's users.

      I don't see this as being a major problem for iOS after this incident. Other than laziness there is no good reason for people to get their Xcode anywhere else than apple (as Xcode is a free download). AppDevs have now been warned that Xcode must be inviolate if they want to avoid their apps getting banned.

      Now, what exactly was it that stopped you from making this simple deduction? Zealotry in favor of a rival platform perhaps?

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    2. Re:Hard to defend against you say? by macs4all · · Score: 2, Insightful

      Then what, pray tell, is the point of Apple's byzantine approvals process?

      Money.

      ORLY?

      Apple could make even MORE money by letting ANY software in, and saving the Resources it takes to Approve it.

      Therefore, there MUST be another reason. Let's see; what could it be?

      Could it POSSIBLY be that they really ARE trying (pretty damned successfully so far!) to keep this kind of shit OUT of the App Store(s)?

      Nah. That can't be it. Must be GREED, right?

      Haters gotta hate; even when it makes NO sense.

  3. Vetting of apps? by Rainbow+Nerds · · Score: 5, Insightful

    I'm wondering how these apps made it through in the first place. Apple is known for being strict about vetting apps and what's allowed to enter the walled garden. If so many apps were able to make it past the vetting, it ought to raise concerns about what other malicious apps might be in the app store on a smaller scale. The vetting process probably lulls many users into a false sense of security that any app downloaded is going to be safe because Apple wouldn't let unsafe apps through. Obviously that's not the case, and it's not possible to know before downloading an app whether it's safe or not. Even reputable publishers could be compromised in this way. Although I think the walled garden is actually a good idea, it's obviously not sufficient, and there needs to be other layers of security. As much as I despise most antivirus software, it might be another good line of defense. I'd like to see more about app permissions like the old Android Market listing, and perhaps firewalling and only whitelisting certain sites for apps to connect to. It's reasonable that the browser you download would be able to connect to any site; that game, not so much. What's there now isn't enough and there really is no way for a user to know that an application is safe prior to installing it.

    --
    M-I-Z
    kU still sucks!
    1. Re:Vetting of apps? by brantondaveperson · · Score: 4, Insightful

      When presented with a request for access to a local or remote resource generated by a running application, almost everyone clicks "Yes".

      They normally click "Yes" without even reading the prompt, and certainly without conducting a thorough review of what the application is attempting to access, and why. This is because people are not on the whole security professionals, and just want to get shit done on their phones (or tablets, or PCs, or whatever).

      Permissions are not a solution to this problem.

    2. Re:Vetting of apps? by drinkypoo · · Score: 2, Insightful

      I'm wondering how these apps made it through in the first place. Apple is known for being strict about vetting apps and what's allowed to enter the walled garden.

      Apple is known for mysteriously and capriciously denying apps which are similar to other apps which they have accepted. Nobody knows on what basis they justify their decisions, because they don't have to justify their decisions. How that's even legal when they have a monopoly over software distribution to untampered devices... well, money. That's how.

      Although I think the walled garden is actually a good idea

      It isn't.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:Ironically this was caused by slow XCode downlo by jpellino · · Score: 1, Insightful

    "Downloading XCode from the Mac App Store takes nearly a full day!" I get it and the accessory files in about an hour. YMMV but a day? Where?

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."