SoylentNews is people
SoylentNews
Apple has said it is taking steps to remove malicious code added to a number of apps commonly used on iPhones and iPads in China.
It is thought to be the first large-scale attack on Apple's App Store.
The hackers created a counterfeit version of Apple's software for building iOS apps, which they persuaded developers to download.
Apps compiled using the tool allow the attackers to steal data about users and send it to servers they control.
Cybersecurity firm Palo Alto Networks - which has analysed the malware dubbed XcodeGhost - said the perpetrators would also be able to send fake alerts to infected devices to trick their owners into revealing information.
It added they could also read and alter information in compromised devices' clipboards, which would potentially allow them to see logins copied to and from password management tools.
takyon: Affected apps include WeChat, NetEase's music downloading app, Didi Kuaidi's Uber-like car hailing app, the business card scanner CamCard, and more.
(Score: 1, Informative) by Anonymous Coward on Tuesday September 22 2015, @02:40AM
I would cite Reflections on Trusting Trust, but no one here is old enough to remember who Ken Thompson is.
(Score: -1, Redundant) by Anonymous Coward on Tuesday September 22 2015, @02:45AM
Kenny who? Is there an xkcd about him?
(Score: 0) by Anonymous Coward on Tuesday September 22 2015, @05:01AM
> I would cite Reflections on Trusting Trust, but no one here is old enough to remember who Ken Thompson is.
On the contrary. No one here is young enough to know who ken is. This place is old fogey town.
(Score: 0) by Anonymous Coward on Tuesday September 22 2015, @04:47AM
I thought this was a tech news site? What is all this about Apple products doing here? Not relevant to the tech world. Was this story destined for SoylentMarketing, but ended up here by mistake?
(Score: 2) by shortscreen on Tuesday September 22 2015, @04:59AM
it was supposed to go in the schadenfreude section
(Score: 3, Insightful) by frojack on Tuesday September 22 2015, @05:01AM
Every time an article hits the mainstream press about any kind of flaw in anything Apple, there will be a flurry of articles from all corners of the press revealing horrible and egregious flaws in Android. You can just about make book on it. So google news in three, two, one.....
No, you are mistaken. I've always had this sig.
(Score: 2, Informative) by Anonymous Coward on Tuesday September 22 2015, @05:53AM
Granted. But I think there's more of a story here that you're overlooking. This was first and foremost an attack on developers, who should know better than to grab copies of their dev toolchain from untrusted sources. Nobody with a walled garden seems to have a way to guard against that -- to verify that builds came from clean toolchains. Apple has, according to the article, managed to detect signatures of the malware and pull the problematic builds, contact the devs, and get them to use clean compilers. But, now that the rabbit is out of the hat, how do we guard against similar problems in the future on other platforms?
(Score: 2) by frojack on Tuesday September 22 2015, @06:10AM
Well clearly Apple's malware scanning wasn't up to scratch.
They will reject apps that happen to mention the word Android anywhere in the app, but they never check for basic functionality, and outbound connections? Sure they got duped. Now they need to step up their game, and they have been taught a lesson on how to do it.
None of this is my point. Pretty sure Apple will survive without my advice.
The point I was making is that Apple will put the word out to its fawning press Army which will now swamp the pages to mask out this event in a way that no Android manufacturer would even bother to try.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday September 22 2015, @07:33AM
> They will reject apps that happen to mention the word Android anywhere in the app, but they never check for basic functionality, and outbound connections
That's the basically the halting problem. It is literally impossible for them to catch everything and effectively impossible to catch anything sophisticated until after the fact. Signature matching won't catch a polymorphic virus either.
I expect the toolchain thing gets worse - these guys got hit because they downloaded a compromised toolchain instead of going to the source. Next revision will be malware that infects an already installed toolchain. In fact, I thought I'd already heard about that a few months ago, maybe something the Snowden dumped revealed the NSA had already done? I bet we eventually see something that infects source code for iphone apps.
Its going to get ugly. This may be the start of a sea change in app stores.
(Score: 0) by Anonymous Coward on Tuesday September 22 2015, @04:35PM
Apple's fawning press army doesn't read Soylent. So forget about them, let the pain pass, and talk about tech instead of marketing. We who read Soylent are people who build, not people who sell, so it behooves us to spend more time thinking about how we make our builds verifiable and how we make our source code verifiable, than worrying about the avalanche of press-release-turned-story and asroturf that we already know will suffice to draw in page-views to advertising circlejerk of the "news" sites.
The first step to getting past the bullshit is fixing your sights on what is more important, like security best-practices.
(Score: 2) by FatPhil on Tuesday September 22 2015, @08:24AM
We just need to get that mechanism to be injected into the tools automatically when they're built, and we're there.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Informative) by RedBear on Tuesday September 22 2015, @08:48AM
It's interesting that this is being discussed as if it's some kind of major hack of the App Store itself, when nothing could be further from the truth. This apparently all came about because a bunch of Chinese developers unwisely downloaded a trojanned version of Xcode from some Chinese file sharing site. Hopefully after this developers won't be dumb enough to download their IDE from anyone besides Apple, or at least they'll learn to do a proper CRC check on the downloaded file before trusting it.
I believe they would also need to disable GateKeeper, the Mac OS X security feature that tries to keep you from running binaries from unknown developers. They would have to turn the security level down to "Allow apps downloaded from: Anywhere" in order to run the compromised Xcode binary. Any idiot should have understood that if their copy of Xcode didn't pass the security verification there was something wrong with it. So there are multiple reasons this should never have happened, and none of the other millions of apps on the App Store were ever at any risk of being compromised if they weren't compiled with this hacked copy of Xcode. This isn't an attack on the App Store, it's an attack on developers who don't understand basic security precautions. As soon as all the affected apps are recompiled with a proper version of Xcode and auto-updated to clients (and nearly all iOS devices are auto-downloading and installing app updates by default at this point) this issue will quickly disappear.
People who seem to know what they're talking about have frequently discussed the fact that if the compiler is compromised it's very difficult to know that the resulting compiled software is compromised, so I have trouble laying much blame for this, if any, at Apple's doorstep. The compiled compromised application is properly signed just like any regular app. Apps compromised in this way, at the compiler level, would find their way quite easily into any Linux package management system just as these apps found their way into the App Store without triggering any alarms.
The one thing that can be laid squarely on Apple's shoulders is the fact that they really do need to improve their content delivery network. It sucks pretty hardcore most of the time, which is what motivated these developers to look for an alternate download source. Xcode is around 5GB these days, and you have to download the whole thing every time there is an update. It takes forever even on a good day. You'd think with all their billions they could do better.
¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
(Score: 0) by Anonymous Coward on Tuesday September 22 2015, @09:30AM
That's what is needed to deter this attack. You compile the free source with 2 compilers and compare the results. Of course this will not work on proprietary software but who cares.
(Score: 2) by PizzaRollPlinkett on Tuesday September 22 2015, @03:45PM
I never thought a chack like this would happen in today's development world, but someone found a true weakness in Apple's locked down ecosystem. Apple still gives away its Xcode bloatware. Anyone can download, modify, and spread it. Any binaries created by the hacked toolchain can be injected into the Apple walled-garden ecosystem, bypassing its locked-down security. Good job to whoever came up with this hack! We've seen that any implicit trust in the locked-down system is exploitable. Of course, the next version of iOS and Xcode will probably require developers to do something to get the development tools from Apple, like pay to get a signed developer key or something, but whatever.
(E-mail me if you want a pizza roll!)
(Score: 0) by Anonymous Coward on Tuesday September 22 2015, @04:46PM
You already did have to pay to get a developer key, if you were distributing software through the Apple stores. That didn't help.
Ultimately the most secure solution is also the most draconian and unreasonable - require release builds to come from Apple's own servers, with devs uploading source code to an Apple-controlled cloud somewhere, to be compiled by Apple's toolchain. Development and testing builds still happen on the dev's computers, but release builds go into the dev's directory on fascistdev.apple.com, and an hour later the app store daemon takes the end result and forwards it to appstore quality control and then to the store itself, without returning to the dev in the interim (better have your testing done first).
I doubt many devs would go along with that, uploading their crown jewels to Apple. I'm sure there's an Apple, Google, Microsoft, or NSA executive somewhere who's salivating at the thought, though.
(Score: 0) by Anonymous Coward on Tuesday September 22 2015, @06:25PM
That just hit me with what could be worse. Since the actual tool chain was compromised, there is a good chance that they have the code-signing keys of the developers. If I were Apple, I'd revoke all of the known compromised keys before other apps that are clean of this but are designed to be malicious manage to slip in using them.
(Score: 0) by Anonymous Coward on Tuesday September 22 2015, @10:03PM
I expect that they revoked the developers' keys before they even e-mailed them to tell them they were compromised. Revoking a key doesn't require someone to draft a letter, a lawyer to look it over, and someone to translate it into Chinese, so it probably was the first task done.
(Score: 2) by darkfeline on Tuesday September 22 2015, @10:44PM
Would this have happened to developers who use editors like Vim or Emacs? I'd wager there's a correlation between using a text editor, knowing how your compiler works, and not downloading untrusted compilers, whereas IDE folks generally have no idea what's going on beyond their cute refactoring features and the Compile and run menu option.
Join the SDF Public Access UNIX System today!