Apple Wages Battle To Keep App Store Malware-Free

alphadogg writes: Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace. Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices. Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free.

Ignoring the Elephant in the Room

[damn_registrars]

They can't really say they are 100% committed to protecting peoples' privacy when they keep pushing out the facebook app - which is of course dedicated to encouraging people to give up as much of their personal information as possible.

Re:Ignoring the Elephant in the Room

[kuzb]

Such Hypocrisy is shared by most large companies. As much as I don't like Apple, they are hardly unique in this. I'd be more worried about their continued human rights violations that they repeatedly claim they've dealt with.

Re:Ignoring the Elephant in the Room

[AK+Marc]

What's funny is that so many here don't like Apple that they hold it to a higher standard. Nike has been linked to many more human rights violations they blatantly ignore, and Apple's big sin is that they build in China (like everyone else, but it's somehow worse for Apple).

The suicide rate at Foxconn is less than an average American High School. Until a US president is brought up on crimes against humanity for NCLB, it seems a bit silly to condemn Apple.

Re:Ignoring the Elephant in the Room

[MobileTatsu-NJG]

Why is this marked Troll? The human rights violations aren't ever mentioned around here unless Apple is under scrutiny. In fact, the hubub around here died down after made some changes, only for it to reoccur a couple of years later. Perhaps if it really were about human rights and not about dinging Apple's PR, the heat would have stayed on, other companies would be following suit, and Apple wouldn't feel comfy enough to let it happen again.

Re:Ignoring the Elephant in the Room

[rsborg]

They can't really say they are 100% committed to protecting peoples' privacy when they keep pushing out the facebook app - which is of course dedicated to encouraging people to give up as much of their personal information as possible.

Yeah I know I'm feeding the troll here, but Facebook is not integrated into the OS or even distributed as a default app.

There is a difference between systems that take personal information from you and ones where you willingly give it away.

The Facebook app hasn't touched any of my devices, and now with content blockers in iOS, I won't even be giving them my ad cookies either when I inadvertently visit a site that has their Like button or other trackers.

Re:Ignoring the Elephant in the Room

[davester666]

Well, there a LOT of people who really really want to broadcast their every moment via Facebook. So, people are CHOOSING to give up their privacy in exchange for, well, who knows what they get out of it.

You don't have to use the built-in Facebook/Twitter/whatever support or use any of the facebook/twitter/instagram apps from their store, if you don't want to.

And if you don't, I know, this is incredibly hard to believe, but, NONE of your information is sent to Facebook/Twitter/Instagram/whatever.

I don't have a Facebook account [well, not one I created, supposedly Facebook has helpfully started my account without me, ready and waiting for when I may be too incapacitated by alcohol to understand what I am doing and actually sign up] and I am confident that Apple is not sending data to Facebook from my phone. And now, with iOS9, I can install adblockers to hopefully kill FB's/Twitters/Googles various trackers/"analytics services"/ads to at least slow down how fast they are building my profile.

Re:Ignoring the Elephant in the Room

[davester666]

No, they have never claimed to have 'fixed' the problem, because it is a problem that is unlikely to fixed anytime soon in China. What they do claim is that they have taken concrete steps to reduce the likelyhood of it happening, both by paying more money for services and by penalties for contract violations [which supposedly include things like workers hours/conditions/no child labor].

Re:Ignoring the Elephant in the Room

[Dog-Cow]

Do you also find daylight to be amazing?

Re:Ignoring the Elephant in the Room

[drinkypoo]

What's funny is that so many here don't like Apple that they hold it to a higher standard.

Wrong. People don't like Apple because it is not meeting the same standard as others: It pockets more of the money that it makes through slave labor than others do. Therefore, it can better afford to pay people a living wage, and therefore its behavior is actually more repugnant than that of other corporations.

Re:Ignoring the Elephant in the Room

"The suicide rate at Foxconn is less than an average American High School."
Compare it to a GM factory or some other American blue-collared industry and you'll see that for all the "prevention" Foxconn is truly dangerous. Also, I'd like to point out that there's no study on the long term effects of those work conditions, which can't possibly be good when short term they cause so many deaths.

And lastly ... Apple makes hardware and software, nice but no longer extraordinary. It sells a brand, an image, that's its biggest and most important asset and ... best target for critics.

Personally, I don't care one way or another about Apple vs other companies or Foxconn vs others. They're not held at gunpoint to work, they always have choices, not good ones mind you, but choices nonetheless. (seems like a snarky comment, but I've had to make similar choices several times and I always chose health over money.)

Re:Ignoring the Elephant in the Room

[phil.swansborough]

Well at least it is since they installed the nets outside the windows.

Re:Ignoring the Elephant in the Room

But let me be the first to say this. The Apple dominance era is (slowly) coming to a close. Okay Arstechnica or whatever tech mag will still print a bias reviews of Apple products against say the Nexus 9 by focusing on benchmarks that favor Apple. All the meantime, the screen resolutions of their devices are falling behind, the software (mainly Safari) is falling behind (eg Chrome) and more importantly their critical security exploits being the highest in 2014 then years prior.

I'm not saying their standard is worse than competitors, I'm saying their standard is worse than their former self. It's only downhill from here ...

Re:Ignoring the Elephant in the Room

[trparky]

And meanwhile Android's security track record is the worst it's ever been. Millions of people are still completely exploitable because the particular OEM that made their device doesn't give a shit about their one year old device. God help the people who can't always afford the latest and greatest flagship device and is stuck on some three plus year old device because that's all the prepaid cellular service providers seem to shove down these people's throats.

And as for screen resolutions I don't give a shit about sky high screen resolutions. Can the screen produce a good picture? Can you read the text on the screen? If you have answered "yes" to those three questions then the screen is good enough. Sure, let's pack in a higher resolution screen just for kicks and oh shit... battery life has gone to shit. Hell my main desktop monitor is 1920x1080. It's good enough!

Re:Ignoring the Elephant in the Room

[trparky]

Crap... two questions. I wish there was an edit button.

Re:Ignoring the Elephant in the Room

[Solandri]

Despite being somewhat anti-Apple, I've always been on Apple's side when stories about "it's" human rights violations come up, specifically for the reasons OP cites. I would never mod it down simply because it favors Apple, and if it gets out of hand I've written posts defending Apple as OP did.

That said, I'm less inclined to go around correcting people when it's brought up in web forums because the general media is biased wildly in Apple's favor. e.g. Did you know one of the main patents in Apple's $1 billion award against Samsung was ruled invalid by the USPTO this summer? Nary a word about it in the general media (I only found out about it by accident a few weeks ago when the story came up while I was searching for who was suing whom for patent infringement). So I figure some biased bad PR is necessary to help balance out the biased good PR Apple normally gets.

Re:Ignoring the Elephant in the Room

[AK+Marc]

"The suicide rate at Foxconn is less than an average American High School."
Compare it to a GM factory or some other American blue-collared industry and you'll see that for all the "prevention" Foxconn is truly dangerous.

Nope. Foxconn's suicide is not higher than US general suicide rates. I used those numbers to not get into a debate about how the Foxconn suicide rate is calculated. That and if that rate was so bad, why aren't we doing more in US schools? We aren't, which means we think that rate is acceptable, unless it's happening at Apple, and we hate Apple.

Re:Ignoring the Elephant in the Room

[MobileTatsu-NJG]

Why even spend the time on that when Foxconn produces parts for many manufactures and not just Apple? I wouldn't mind, but worker safety is a whole different level from PR stemming from a poorly understood patent case. Heck, you could even rake Apple over the coals for letting the violations happen again as recently as this year!

Re:Ignoring the Elephant in the Room

[neoritter]

Well Apple fanboys making excuses for Apple is as sure as the rising and setting of the sun.

Re:Ignoring the Elephant in the Room

[slashdotwannabe]

People do. You're just so fixated on your beloved Apple that you are blind to it.

And yet you provide no evidence to support your assertion...

I call it like I see it. If you can't handle, why don't you go off into a corner and have a cry.

Your need to denigrate those who disagree with you betrays the weakness of your argument.

Re:Ignoring the Elephant in the Room

[slashdotwannabe]

False dichotomy. Just because someone dislikes Apple doesn't mean they have to like Google.

It's only a false dichotomy if you posit that there are viable choices other than iOS and Android. Are you suggesting that Blackberry or Microsoft are viable alternatives? Because the marketplace would disagree with you.

Apple Testing ?

[randalware]

Apple doesn't have a QA testing suite/lab for applications ?

Re: Apple Testing ?

[bill_mcgonigle]

Also, until all the apps are rewritten in Swift, any static analysis efforts are fairly easy to bypass. Objective-C is very flexible at runtime - most of the App Store inventory has potential for hosting malware.

Re: Apple Testing ?

[Dutch+Gun]

Exactly. Apple is screwed by the original iOS design, in which they assumed the apps were all trusted first party, so didn't bother to put in a robust permissions system to differentiate API calls from trusted vs untrusted sources. Using Objective-C, with it's flexible runtime calls based on strings, it's trivial to bypass restrictions and gain access to APIs that you're not supposed to have. That is, calls made to app-facing APIs need to call internal APIs, and there's no way to practically prevent apps from calling those internal APIs directly and getting more data than they should.

That being said, Apple has one significant advantage, in that it only takes *one* report to remove all similar malware from any number of apps (assuming it's a library), as there's a single, authoritative source to check against. That's in contrast to PC, server, or router malware with can sit infecting a machine in near perpetuity, even if it's known by the world at large. Of course, that's like detecting a minefield by watching your soldiers blow up as they march across the field. Sucks to be the guy who got blown up, but at least everyone else is safe.

Re: Apple Testing ?

[angel'o'sphere]

Using Objective-C, with it's flexible runtime calls based on strings, it's trivial to bypass restrictions and gain access to APIs that you're not supposed to have.
You are simplifying to much.
Just because Objective-C is based on message passing does not mean you can bypass anything.
But if you have some examples how to manipulate API calls, that would be interesting.

Re: Apple Testing ?

[david_thornley]

Every time I bring up certain apps, I'm asked if I want to let them do X (mostly use my location). It would seem that there is a permissions system there.

Re:Apple Testing ?

[macs4all]

IF they do it's certainly not doing very well is it.

Ahem.

Even if you read the TFS, you will see that they said that there is a "Potential" that some Apps could be "configured" to steal data.

Theoretical Exploit: Not a realized one. BIG difference!

And of course, no explanation of how Apps could be "configured" in said manner.

And if you actually break the rules and at least read SOME of TFA, you will see this most important factoid:

"While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so. "

And then the article goes on to harp about XCodeGhost; with vastly inflated numbers of supposedly "infected" Apps, and after the originator of the Tainted XCode download already apologized.

And then, TFA focuses on MobiSage SDK, which appears to be an Ad-Insertion function that even the security firm FireEye said didn't appear to be doing anything malicious. But yet, FireEye took it upon themselves to label MobiSage "High Risk" (based on the fact that it appeared to be nothing more than an ad-insertion framework, right?).

So, ONCE AGAIN this is nothing more than a clickbait rehash of month-old FUD. Pure and simple. Thanks, Slashdot.

And I would say that either the "Permissions System" is either not really being challenged afterall, OR that it IS working just fine...

They deserve this

[Jazoray]

The store is the only guardian on the entire iOS operating system. it's a single point of failure. If the user had complete access to his device, this wouldn't be a problem.

Re:They deserve this

[david_thornley]

Which is why Windows never had any malware (at least until Vista on, when they tried to make it harder to control the computer), and most Android devices have no malware problem, right?

Re:Toad rays from my anus

[sexconker]

ALL GLORY TO HYPNOTOAD

Walled Garden

[Big+Hairy+Ian]

Personally I'd rather risk infection than be restricted to what Apple says I can do

There's some other things they should focus on!

[AbRASiON]

Before I start, yes I'm an Android guy - but, I do have an iphone and ipad.

How.the.fuck do Apple fans justify that shitty app store? The search is OUTRIGHT BROKEN. It's BROKEN! There's so many fake / spam / SEO'd bullshit apps which come up when you search for something, it's fucking incredible.

It literally doesn't find the app I'm looking for, over 50% of the time.
I mean, I'm cool with tech companies not being perfect but this is the "Ever flawless" Apple who always get things right...? It's fundamentally broken.
I don't even care that the spam exists! so what? But at least fix the algorithm so when I search for "extremely well known app X" it actually returns a result of the "extremely well known app X" I'm looking for.

While I'm railing on them, one more thing* why in all that is !@#%$ing holy, can I not remotely install apps on my iphone / ipad from my PC? Yeah yeah, I'm an Android guy, I mentioned that,...
How can the Google Play store have had this for 3 years+ and third party Android app installers have had it for 5 years. FIVE YEARS.

I'm sitting on my PC for example, reading slashdot, someone says "hey blah blah is a brilliant app on my ipad, it really solved XYZ" I should be able to open a new tab, go to the app store, find the app and click "install to ipad"
It's nearly 2016. How is this fucking missing?
Worst part is, you ask this, even politely and Apple fans will tell you how "wrong you are" for wanting it. (I'm expecting at least a mixed / logical reaction on this site)

Outright crazy, poor design, backwards thinking. These are good features. It's nuts.

* Jesus I wish slashdot was still highly relevant, there might be a miniscule chance of an Apple person actually reading the post and fixing this idiocy.

Re:There's some other things they should focus on!

[AbRASiON]

I think you're misunderstanding me or ..... I explained poorly.
I want the ability to REMOTELY install apps to my iPad, sitting on the coffee table downstairs or even on my desk at work while I'm at home, simply by going to the app store website, logging in to my itunes / app store account and clicking 'install' on whatever app.
It should then prompt me, "which Apple device?", of the "Apple devices registered on this account"

This is how it works on the Google Play store, it might even be 4 years, not 3.

Re:There's some other things they should focus on!

"While I'm railing on them, one more thing* why in all that is !@#%$ing holy, can I not remotely install apps on my iphone / ipad from my PC?"

I imagine Google's array of patents on remotely installing phone apps probably has something to do with it.

Re:There's some other things they should focus on!

[david_thornley]

So, you want the capability to remotely load apps onto your iPad? Are you sure you'll remain the only one with that capability?

You can buy apps from your computer, and then you can sync. Assuming you like to keep some sort of backup, you'll be syncing periodically anyway. What's wrong with that?

Re:There's some other things they should focus on!

[AbRASiON]

You seem to be diverting the topic to security arguments. If the Apple app store login is secure enough to have my real name, payment info, it's secure enough to distribute applications to my ipad - just how it works on Google Play now.

As for itunes sync style, nope not a chance. That's a very poor system and I don't think anyone uses itunes anymore now that they don't have to. (The cloud backups on iphone / ipad work exceptionally)

Regardless even if I did want to do that, I'd still need the ipad in my apt near the itunes enabled PC. As it stands, my mom who doesn't know too much about using these kind of things, can have me remotely install stuff to her Android phone, 100 miles away in about 2 minutes.
It's nearly 2016.

Re:There's some other things they should focus on!

[radarskiy]

"You have to use iTunes to download an app"
It looks like that because the App Store is not a website and the interface is in iTunes, but downloading to the device does not require connecting the device to the computer with iTunes in any way.

Re:There's some other things they should focus on!

[radarskiy]

The only part which the App Store cannot do is selecting specific devices. Any enabled device will download the new app and devices not enabled will not download it.

Re:There's some other things they should focus on!

[david_thornley]

If you're discussing why you can't, security is the reason. Apple makes considerably different security tradeoffs than Android, and that is one thing to consider when deciding what to get.

So...app vetting is and always was BS, then?

[xxxJonBoyxxx]

>> problems threaten to taint the App Store's years-long reputation as being high quality and malware free

So, we can agree that Apple's application vetting process is and always was bullshit, right?

Re:So...app vetting is and always was BS, then?

[cjmnews]

Due to their original design and the use of Objective C, yes.

Their screening process consists of scanning code for using "undocumented" system calls that are restricted for Apple's use only.
Obfuscate those system call strings and you have now bypassed the screening process (ala: XcodeGhost)
Too bad they can't stop it, until they move every app to Swift (now you know why they created a new language).
Even if they could crack every system call string alteration an app could do, the app could request the system call string from a server, and execute it on the fly and get around the scan.

There is probably more to the screening process, but I am doubting there is much more to it.

Droid does what iDon't: app apps in an app

[tepples]

Since when can you app apps in an iPad app? I thought only Android could do that.

If that happens, *iOS is dying

[tepples]

You start by killing the numerous clones of popular apps.

Then Apple would have to kill itself, as iOS is based on FreeBSD, and *BSD is a clone of UNIX.

Then don't make a damn Turing machine

[tepples]

The way to work around the halting problem is to build a machine that is useful yet less capable than a Turing machine. One example of such a machine is a linear bounded automaton, which is a Turing machine that never moves the pointer past the end of the input. An LBA recognizes context-sensitive languages, and it is equivalent in power to a physical computer, which has limited memory. Halting is solved on an LBA, by making a universal LBA twice as long as the original and running two copies of the program in a tortoise-hare configuration to detect infinite loops.

Re:just bullshit

[macs4all]

for anything that you search for there are 200 knock off Chinese apps. They'll never clean up their shit, it keeps feeding to marketing that they have X more apps than anyone else.

And how, pray tell, do you think the Google Play Store makes the same claims?

Re:Good luck with that

[JustAnotherOldGuy]

They're doing better than the average Slashtard who moans about Apple all day.

Yes, but the day is still young.