Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Cleaning Up App Store After Its First Major Attack

Posted by timothy on from the they've-breached-the-garden-wall dept.

Reuters reports that Apple is cleaning up hundreds of malicious iOS apps after what is described as the first major attack on its App Store. Hundreds of the stores apps were infected with malware called XcodeGhost, which used as a vector a counterfeit version of iOS IDE Xcode. Things could be a lot worse, though: Palo Alto Networks Director of Threat Intelligence Ryan Olson said the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack. Still, he said it was "a pretty big deal" because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps. Other attackers may copy that approach, which is hard to defend against, he said.

42 of 246 comments (clear)

  1. Trusting Trust by jeffb+(2.718) · · Score: 5, Insightful

    Thirty-one years later, it's still worth reflecting on it.

    1. Re:Trusting Trust by gweihir · · Score: 2

      Incidentally, that problem has been solved: http://www.dwheeler.com/trusti...

      It takes some effort though.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Trusting Trust by jeffb+(2.718) · · Score: 5, Funny

      To be fair, when Ken Thompson gave his Turing Award lecture, he didn't have access to Slashdot anonymous cowards to explain the errors in his reasoning. He did the best he could with what he had.

  2. Hard to defend against you say? by Anonymous Coward · · Score: 2, Insightful

    Then what, pray tell, is the point of Apple's byzantine approvals process?

    1. Re:Hard to defend against you say? by phayes · · Score: 4, Insightful

      That's easy enough for everyone to figure out: It gives iOS users a more secure environment than the farce that is android today without imposing more than a tiny hardship on the vast majority of it's users.

      I don't see this as being a major problem for iOS after this incident. Other than laziness there is no good reason for people to get their Xcode anywhere else than apple (as Xcode is a free download). AppDevs have now been warned that Xcode must be inviolate if they want to avoid their apps getting banned.

      Now, what exactly was it that stopped you from making this simple deduction? Zealotry in favor of a rival platform perhaps?

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    2. Re:Hard to defend against you say? by AmiMoJo · · Score: 4, Interesting

      The usual method of getting developers to install a backdoored version of an IDE is to make them think they are downloading the legit one. Infect their computers, MITM them. The NSA/GCHQ have many ways to do that, and few developers bother to check file signatures (do Apple even offer them?)

      So far there is no evidence that the Apple way works any better than the Google way. Google scans all apps for malicious code, the same way that Apple does. You don't think that Apple employs people to decompile and check app manually, do you? If a human is involved at all, they are just there to make sure that the UI and content meet the Apple standards. Most apps don't appear to be human reviewed at all, or if they are the humans pay little attention and allow apps with zero functionality, or which clearly contravene the rules (e.g. there is a Playboy app, despite the prohibition on porn).

      The idea that Android is somehow riddled with malware is nonsense. Where are the vast botnets that would exist if it were? The Play store seems to be just as safe as the Apple app store, from a user's perspective.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Hard to defend against you say? by Wrath0fb0b · · Score: 4, Informative

      The usual method of getting developers to install a backdoored version of an IDE is to make them think they are downloading the legit one. Infect their computers, MITM them. The NSA/GCHQ have many ways to do that, and few developers bother to check file signatures (do Apple even offer them?)

      Not only does they offer signatures, but the infected version of xCode will be refused by default unless you modify the default Gatekeeper setting. This is all the more ridiculous because you don't even need to register to download the legit xCode directly from Apple. And of course it's protected in transit by SSL.

      Not sure what your FUD is.

      [ Yeah, maybe GCHQ is clever enough to infect xCode and still pass Gatekeeper. But this case shows you don't really have to be that smart -- just tell users "you must click here to run this software" and they'll do it, even if that means disabling security checks. ]

    4. Re:Hard to defend against you say? by nuonguy · · Score: 4, Informative

      No Evidence?

      Really?

      No evidence at all?

      What would you consider evidence?

      That’s why the news from Bitdefender researchers is so alarming. They discovered sophisticated CAPTCHA-bypassing Android malware in Google Play apps.

      from http://www.itbusinessedge.com/...

    5. Re:Hard to defend against you say? by phayes · · Score: 2

      The usual method of getting developers to install a backdoored version of an IDE is to make them think they are downloading the legit one.

      Certainly, as long as you are referring to the usual methods of installing backdoored versions of IDEs for Android. As has been repeatedly pointed out, this is NOT how XCode is normally distributed.

      Your suppositions of automated and largely useless validation reeks of "this is how Android does it & though I'm ignorant of how Apple does it, I'll still offer baseless conjecture that they use the same methods as Google when authorizing apps". None but the true zealots can doubt that Apple's walled garden has made it much more difficult for malware to spread on iOS versus Android.

      The idea that Android is somehow riddled with malware is nonsense. Where are the vast botnets that would exist if it were? The Play store seems to be just as safe as the Apple app store, from a user's perspective.

      Android's inability to perform timely updates has prepped it's users for global exploitation. Sufficient weaknesses are well known and the platform has horrendous update propagation so they're not getting fixed. The only thing missing is mistake by a virus author and a worm/virus will propagate like wildfire When it happens it'll make the Morris worm that shut down the Internet look benign.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    6. Re:Hard to defend against you say? by macs4all · · Score: 2, Insightful

      Then what, pray tell, is the point of Apple's byzantine approvals process?

      Money.

      ORLY?

      Apple could make even MORE money by letting ANY software in, and saving the Resources it takes to Approve it.

      Therefore, there MUST be another reason. Let's see; what could it be?

      Could it POSSIBLY be that they really ARE trying (pretty damned successfully so far!) to keep this kind of shit OUT of the App Store(s)?

      Nah. That can't be it. Must be GREED, right?

      Haters gotta hate; even when it makes NO sense.

    7. Re:Hard to defend against you say? by AmiMoJo · · Score: 3, Informative

      Sorry, you fell for the media hype. From your very first link:

      Both Wallpaper Dragon Ball and Finger Hockey, RiskIQ said, have malware that steals confidential information such as device IDs from infected devices.

      So an anti-virus company is spreading alarm that apps can access the device's unique ID and the internet, both things the user has to give it permission for. It's bullshit, they are just making out that you need anti-virus software in order to sell their shitty snake-oil product.

      By this standard there are thousands of bits of malware on the Apple app store too, because any app that has permission to read the device's ID and internet access is classed as malicious.

      The last link you posted is as close as it comes, but requires the user to download an "innocent" looking game that needs permission to send SMS messages (with a big warning that it may COST YOU MONEY $$$). They found one example, and Google removed it quickly. That's a pandemic all right.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Hard to defend against you say? by macs4all · · Score: 2

      Do you work for Apple or something? Because every time someone says anything that you perceive to be even the smallest of criticism or slights against them, you get all butthurt and start throwing temper tantrums.

      Seriously man, they are just a company. Grow the fuck up.

      Google is just a company, and Android is just an OS; but to hear the fandroids on here, you'd think they were both the second coming of Christ.

  3. Vetting of apps? by Rainbow+Nerds · · Score: 5, Insightful

    I'm wondering how these apps made it through in the first place. Apple is known for being strict about vetting apps and what's allowed to enter the walled garden. If so many apps were able to make it past the vetting, it ought to raise concerns about what other malicious apps might be in the app store on a smaller scale. The vetting process probably lulls many users into a false sense of security that any app downloaded is going to be safe because Apple wouldn't let unsafe apps through. Obviously that's not the case, and it's not possible to know before downloading an app whether it's safe or not. Even reputable publishers could be compromised in this way. Although I think the walled garden is actually a good idea, it's obviously not sufficient, and there needs to be other layers of security. As much as I despise most antivirus software, it might be another good line of defense. I'd like to see more about app permissions like the old Android Market listing, and perhaps firewalling and only whitelisting certain sites for apps to connect to. It's reasonable that the browser you download would be able to connect to any site; that game, not so much. What's there now isn't enough and there really is no way for a user to know that an application is safe prior to installing it.

    --
    M-I-Z
    kU still sucks!
    1. Re:Vetting of apps? by tepples · · Score: 2

      I'd like to see more about app permissions like the old Android Market listing

      The permissions are still listed. Crossy Road , the endless Frogger-clone that's become popular on Google Play. Scroll down to "Permissions" and click "View details". Or are you asking for some sort of rich privacy policy where each permission is justified with an immediately adjacent rationale, such as "Uses camera to scan barcodes" or "Uses phone state to pause gracefully when a phone call is received"?

      and only whitelisting certain sites for apps to connect to

      I don't see how this can be effective, as the app may use one of those whitelisted "certain sites" as a proxy.

    2. Re:Vetting of apps? by brantondaveperson · · Score: 4, Insightful

      When presented with a request for access to a local or remote resource generated by a running application, almost everyone clicks "Yes".

      They normally click "Yes" without even reading the prompt, and certainly without conducting a thorough review of what the application is attempting to access, and why. This is because people are not on the whole security professionals, and just want to get shit done on their phones (or tablets, or PCs, or whatever).

      Permissions are not a solution to this problem.

    3. Re: Vetting of apps? by Buck+Feta · · Score: 2

      average fleshlight app

      Good ol' phone sex...

      --
      I am Audience.
    4. Re:Vetting of apps? by drinkypoo · · Score: 2, Insightful

      I'm wondering how these apps made it through in the first place. Apple is known for being strict about vetting apps and what's allowed to enter the walled garden.

      Apple is known for mysteriously and capriciously denying apps which are similar to other apps which they have accepted. Nobody knows on what basis they justify their decisions, because they don't have to justify their decisions. How that's even legal when they have a monopoly over software distribution to untampered devices... well, money. That's how.

      Although I think the walled garden is actually a good idea

      It isn't.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:Vetting of apps? by angel'o'sphere · · Score: 2


      The problem with forcing a yes/no answer if you answer no you can't run the app, that means people will generally just say yes.

      That is complete nonsense!
      The app does not really know if you have clicked yes or no, the Operation System is asking you, not the app. And an app like "Viber" or "WhatsApp" accessing your Location, just works fine when iOS askes: "may this app access your Location" and you answer: "no".
      Why the funk should the app stop working?

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    6. Re:Vetting of apps? by jittles · · Score: 3, Interesting

      I'm wondering how these apps made it through in the first place. Apple is known for being strict about vetting apps and what's allowed to enter the walled garden. If so many apps were able to make it past the vetting, it ought to raise concerns about what other malicious apps might be in the app store on a smaller scale. The vetting process probably lulls many users into a false sense of security that any app downloaded is going to be safe because Apple wouldn't let unsafe apps through. Obviously that's not the case, and it's not possible to know before downloading an app whether it's safe or not. Even reputable publishers could be compromised in this way. Although I think the walled garden is actually a good idea, it's obviously not sufficient, and there needs to be other layers of security. As much as I despise most antivirus software, it might be another good line of defense. I'd like to see more about app permissions like the old Android Market listing, and perhaps firewalling and only whitelisting certain sites for apps to connect to. It's reasonable that the browser you download would be able to connect to any site; that game, not so much. What's there now isn't enough and there really is no way for a user to know that an application is safe prior to installing it.

      they run a static analyzer on app submissions that check for when a developer makes private API calls. It doesn't catch everything. I've worked on a white label app that had 280 successful reviews in the app store and randomly was rejected on 281st submission because I forgot to enable a new permission for the app prior to submission. My permissions files were all generated using a template so all apps were missing that permission. The users were still prompted to grant permissions. Apple generally doesn't let you enable permissions on functionality that you do not actually need for your app to function. If you used some Objective-C trickery to make hide private API calls it is quite possible that Apple will not even detect it unless that call is, perhaps, triggered during the app review process.

    7. Re:Vetting of apps? by jo_ham · · Score: 3, Informative

      Of course Apple have a monopoly on their own products... I'm not sure how you can't see that this is obviously legal.

      There's no legal problem with being the only store on a product that you sell, *especially* when Android makes up the bulk of the smartphone market.

      So, "how that can even be legal" is that Apple are not a monopoly as far as smartphones are concerned, nor are they leveraging their non-monopoly position in one area to promote their business in another.

    8. Re:Vetting of apps? by BasilBrush · · Score: 2

      People automatically click yes when they perceive their is no alternative. If you get a dialog that says "Yes"/"Cancel", then they'll click yes, because they do actually want the action that they asked for performed.

      Likewise with classic Android permissions, refusing permission meant you couldn't install the app. So people were trained to accept them regardless.

      With iOS requests for permission at the time of first use of a resource, the question is a significant one, Both Yes and No still allow the app to continue, to the extent that it's possible to without the resource being requested. For example a maps app will still function if you reply no to a location request. It just won't centre the map where you are.

    9. Re:Vetting of apps? by BasilBrush · · Score: 2

      How that's even legal when they have a monopoly over software distribution to untampered devices... well, money.

      For the umpteenth time, a company's own platform is not a market for the purposes of competition laws.

      Although I think the walled garden is actually a good idea
      It isn't.

      You don't even use the platform. The walled garden is an extremely attractive security and ease of use feature of iOS. Regardless of what Android fans say.

    10. Re:Vetting of apps? by MachineShedFred · · Score: 3, Interesting

      More than that, it's spelled out explicitly in Apple's app developer guidelines that the app will be rejected if it doesn't gracefully handle a permission denial. And, that would be incredibly easy to test in an automated fashion.

      Now if the developer is a dick and just disables all the apps functionality because you don't give them permission to your contacts, then shame on them and they deserve a nice dose of herpes. But again, it's up to the user to have some responsibility in protecting their information, and they shouldn't just blindly allow permission to anything that asks.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    11. Re:Vetting of apps? by MachineShedFred · · Score: 2

      Don't know what platform you're using, but it's completely possible (and required for App Store acceptance) on iOS.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  4. Ironically this was caused by slow XCode downloads by Anonymous Coward · · Score: 2, Interesting

    Some Chinese developers downloaded this tainted XCode because of slow download times of XCode from the Mac App Store.

    Downloading XCode from the Mac App Store takes nearly a full day!
     
    I think this delivery mechanism of XCode is developers is very crummy and quite a nuisance.

  5. Re:Duh by printman · · Score: 4, Informative

    Um, Xcode is free.

    The only thing you pay for is the $99 to distribute applications (through the App Stores or within your organization) - writing and installing your own applications to your iPhone, iPad, Apple Watch, Mac, etc. are all free.

    The issue here appears to be limited to developers that are downloading Xcode from unofficial sources which allows their code to become infected.

    --
    I print, therefore I am.
  6. Re:People are Stupid, exhibit 49284a by nine-times · · Score: 2

    I can't figure out what the exact angle is, but it just seems too strange for legitimate developers to "innocently" make such a boneheaded mistake.

    I'm just throwing it out there, but could it be something like: The developer thought he'd be clever by downloading a pirated/hacked version of OS X that runs on non-Apple hardware. The hacked version either then downloads a hacked version of Xcode, or won't allow a legit installation of Xcode so that the developer is forced to pirate that, too.

    I don't know, just I'm hypothesizing. If it's not something like that, then I have a hard time figuring out how an iOS developer could unintentionally install a fake version. Unless... I don't know, maybe someone rigged Chinese search engines so that when you search for "Xcode", the top hits point to illegitimate sources?

  7. Re:People are Stupid, exhibit 49284a by lucm · · Score: 5, Interesting

    XCode takes forever to download in China

    XCode, and everything Apple, takes forever to download everywhere. It's faster to download the CentOS "Everything ISO" (7GB) from a shitty ftp mirror in Egypt than to get XCode (3GB) from the global network of the wealthiest company in the world.

    Wtf Apple.

    --
    lucm, indeed.
  8. Re: Free as in $5 to $15 per GB? by brantondaveperson · · Score: 2

    Sign into https://developer.apple.com/do..., and click here

  9. How would you do that exactly? by SuperKendall · · Score: 2

    how about adding an extra hidden recipient to all your emails?

    How would you do that?

    The MFMailComposer class window you open tokenizes email recipients for the user, I can't see any way of composing an email that you could not see it was going to more than one person, or that you had pre-populated the "to" or "cc" or "bcc" values with an address they did not know.

    You have no control or visibility as to email addresses the user populates in this composer window. The content is totally separated from the other email fields.

    The app has no control of what happens when you press send; you cannot inject post-send hooks. The mail server communication does not occur in the same application process.

    how about a bank app that transfers money to the malware author instead of the intended recipient?

    That's a more realistic scenario for risk I imagine. But also much harder to get through the extensive testing any serious app has; you would see funds were not being transferred to the right account. Also pretty sure any decent banking API would catch the oddity around accounts it requested info for vs. account numbers you said to transfer to.

    There are a lot of layers any such attack would have to go through, in the end scrubbing out anything much useful (which is what we see with the results). I'm not saying there's no risk, I'm saying that the system as a whole does a good job of having enough layers of security that it's very hard to get something really malicious in place.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:How would you do that exactly? by macs4all · · Score: 2

      There are a lot of layers any such attack would have to go through, in the end scrubbing out anything much useful (which is what we see with the results). I'm not saying there's no risk, I'm saying that the system as a whole does a good job of having enough layers of security that it's very hard to get something really malicious in place.

      Witness the fact that XCode has been offered for free since 1999 and this is the first time it has been compromised.

    2. Re:How would you do that exactly? by narcc · · Score: 2

      As far as you know...

      Apple has a sketchy security track record. Like Linux, it benefited from being an unattractive target as it had such a tiny user-base. OSX still does. As for iOS, for a while there, you could root the damn thing by visiting a webpage.

      That is, their products are not an attractive target for malware. When someone bothers, they're usually successful. See: pwn2own for countless recent examples.

      Aside from the microscopic market share, Apple is just like everyone else.

      --
      Required reading for internet skeptics
  10. Not on iOS they don't by SuperKendall · · Score: 2

    Generally I'd agree with you.

    But the prompting on iOS is clear enough that many people actually do click no - especially for things like location, which people know uses battery. Or contacts, which is very easy to say "no application you do not need to see my contacts".

    And again, all this prompting happens at the time the resources is requested. So if permission is asked for later it's especially odd.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Not on iOS they don't by macs4all · · Score: 2

      LOL, you give people too much credit.

      I remember a branch manager of a sales team asking me (the resident tech nerd) whether or not to allow an app to get his contacts on his i thing.

      The fact that he had to ask me tells me he has no idea if he should click yes or no. Most would just click YES to proceed.

      You, sir, are an effete snob. The VERY thing you ascribe (wrongly) to Apple owners with your snarky "i thing" remark. You wouldn't have referred to his phone as an "a thing" if it were an Android.

      And the fact that he actually ASKED you means that he RECOGNIZES that he shouldn't just blindly click "OK" to every security prompt he sees.

      Far from deriding him, you should be PRAISING his diligence, you insensitive clod! You WISH all Users were as DILIGENT as he.

      Fucktard.

  11. Download once and use USB by SuperKendall · · Score: 3, Informative

    You can easily download Xcode, put it on a USB stick, and share it with others. I do that with every build. Using a modern USB3 memory stick it will copy fairly rapidly.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  12. Alternatives by jpellino · · Score: 2

    "I wish Apple had a solution where you could download the update once then redistribute it." They do. Two in fact. Once it's on your own network, use Caching Server inside OS X Server. $20. Worth the savings in aspirin alone. Or ARD. Similarly cheap. Outside of Apple, sneakernet. Store apps like XCode only care that you bought them and they they are intact on the drive. I did this for several large in-the-store, non-installer-based, free-with-OSX apps (GarageBand, iMovie) in a building that shared a 10-base fiber link across 18 machine and I wanted to get home for dinner.

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  13. Re:Ironically this was caused by slow XCode downlo by MisterSquid · · Score: 2

    Some Chinese developers downloaded this tainted XCode because of slow download times of XCode from the Mac App Store.

    Downloading XCode from the Mac App Store takes nearly a full day! I think this delivery mechanism of XCode is developers is very crummy and quite a nuisance.

    Maybe it's an effect of the Great Firewall? My understanding is that Internet throughput in China (especially for inbound traffic) is very unpredictable with speed varying not only across time but also on physical location.

    --
    blog
  14. Re:Ironically this was caused by slow XCode downlo by Malc · · Score: 2

    I think it was 10-15 minutes for me. But I digress...

    If these people were able to download the infected alternative faster than from the App Store, then the real question is why? Is this a consequence of the Chinese government's internet interference?

  15. Re:Hashing System Libraries by angel'o'sphere · · Score: 2

    Yeah, and I would simply include the correct hashes, from the "original (second)" XCode Installation.

    What you would do in the Java world is signing all classes, however I guess that won't help much as I assume the "hacked XCode" simply added an additional lib.

    That could be compiled freshly all the time and signed with the developers key, then the Trojan/Virus looks like the develoepr had written it.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  16. Re:Ironically this was caused by slow XCode downlo by Rosyna · · Score: 2

    Xcode is signed and Gatekeeper warns about a corrupted binary. The issue is that these developers that were infected intentionally disabled Gatekeeper checks so they could run the infected Xcode.

  17. There's no such thing as perfect security. by Brannon · · Score: 2

    It doesn't mean that there's no value in imperfect security. Apple's walled garden failed in this attack, but it succeeded in thousands of other cases. The infected apps will be removed from devices and the app store, the hole will be closed.

  18. Those are all pretty horrible ideas. by Brannon · · Score: 2

    The answer is NOT to present customers with fourteen more layers of pop-ups and train users to just hit 'accept' on everything. The answer is NOT to load down our mobile devices with anti-virus software, most of which are worse that most viruses. The answer is NOT to expect users to become experts on technology.

    Those are the failed ideas and policies of the Windows world. Android is trying hard to make most of the same mistakes. They are horrible, horrible, ideas and it's scary that there are some in the tech community that are still advocating them.

    Apple's current model IS the answer. Just look at the stats of malware/virus infections of Apple devices vs. Windows or Android. But nothing is perfect, there are going to be occasional infections.