Apple Cleaning Up App Store After Its First Major Attack

Reuters reports that Apple is cleaning up hundreds of malicious iOS apps after what is described as the first major attack on its App Store. Hundreds of the stores apps were infected with malware called XcodeGhost, which used as a vector a counterfeit version of iOS IDE Xcode. Things could be a lot worse, though: Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack. Still, he said it was "a pretty big deal" because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said.

Ironically this was caused by slow XCode downloads

Some Chinese developers downloaded this tainted XCode because of slow download times of XCode from the Mac App Store.

Downloading XCode from the Mac App Store takes nearly a full day!
 
I think this delivery mechanism of XCode is developers is very crummy and quite a nuisance.

And that's why you don't trust apps initially

[SuperKendall]

This kind of possible attack is mitigated because after you download an app, it still has no permissions to do anything interesting - access to background location, contacts, camera, audio, etc. all require permissions that prompt the user for access.

So even if someone uses an Xcode that is compromised, there's not very much gain you are going to get by having malicious code in the app except for what that app is working with.

Happily Android has also recently moved to this same "permission on demand" model which makes way more sense than "agree to laundry list of demands to run" ever did.

On a side note, I would think it would be hard for an attack like this to succeed because as a developer builds an app, they are often monitoring network traffic or otherwise examining app activity... even in release mode at times.

Re:People are Stupid, exhibit 49284a

[lucm]

XCode takes forever to download in China

XCode, and everything Apple, takes forever to download everywhere. It's faster to download the CentOS "Everything ISO" (7GB) from a shitty ftp mirror in Egypt than to get XCode (3GB) from the global network of the wealthiest company in the world.

Wtf Apple.

Re:Hard to defend against you say?

[AmiMoJo]

The usual method of getting developers to install a backdoored version of an IDE is to make them think they are downloading the legit one. Infect their computers, MITM them. The NSA/GCHQ have many ways to do that, and few developers bother to check file signatures (do Apple even offer them?)

So far there is no evidence that the Apple way works any better than the Google way. Google scans all apps for malicious code, the same way that Apple does. You don't think that Apple employs people to decompile and check app manually, do you? If a human is involved at all, they are just there to make sure that the UI and content meet the Apple standards. Most apps don't appear to be human reviewed at all, or if they are the humans pay little attention and allow apps with zero functionality, or which clearly contravene the rules (e.g. there is a Playboy app, despite the prohibition on porn).

The idea that Android is somehow riddled with malware is nonsense. Where are the vast botnets that would exist if it were? The Play store seems to be just as safe as the Apple app store, from a user's perspective.

Re:Vetting of apps?

[jittles]

I'm wondering how these apps made it through in the first place. Apple is known for being strict about vetting apps and what's allowed to enter the walled garden. If so many apps were able to make it past the vetting, it ought to raise concerns about what other malicious apps might be in the app store on a smaller scale. The vetting process probably lulls many users into a false sense of security that any app downloaded is going to be safe because Apple wouldn't let unsafe apps through. Obviously that's not the case, and it's not possible to know before downloading an app whether it's safe or not. Even reputable publishers could be compromised in this way. Although I think the walled garden is actually a good idea, it's obviously not sufficient, and there needs to be other layers of security. As much as I despise most antivirus software, it might be another good line of defense. I'd like to see more about app permissions like the old Android Market listing, and perhaps firewalling and only whitelisting certain sites for apps to connect to. It's reasonable that the browser you download would be able to connect to any site; that game, not so much. What's there now isn't enough and there really is no way for a user to know that an application is safe prior to installing it.

they run a static analyzer on app submissions that check for when a developer makes private API calls. It doesn't catch everything. I've worked on a white label app that had 280 successful reviews in the app store and randomly was rejected on 281st submission because I forgot to enable a new permission for the app prior to submission. My permissions files were all generated using a template so all apps were missing that permission. The users were still prompted to grant permissions. Apple generally doesn't let you enable permissions on functionality that you do not actually need for your app to function. If you used some Objective-C trickery to make hide private API calls it is quite possible that Apple will not even detect it unless that call is, perhaps, triggered during the app review process.

Re:Vetting of apps?

[MachineShedFred]

More than that, it's spelled out explicitly in Apple's app developer guidelines that the app will be rejected if it doesn't gracefully handle a permission denial. And, that would be incredibly easy to test in an automated fashion.

Now if the developer is a dick and just disables all the apps functionality because you don't give them permission to your contacts, then shame on them and they deserve a nice dose of herpes. But again, it's up to the user to have some responsibility in protecting their information, and they shouldn't just blindly allow permission to anything that asks.