SoylentNews is people
SoylentNews
Apple has said it is taking steps to remove malicious code added to a number of apps commonly used on iPhones and iPads in China.
It is thought to be the first large-scale attack on Apple's App Store.
The hackers created a counterfeit version of Apple's software for building iOS apps, which they persuaded developers to download.
Apps compiled using the tool allow the attackers to steal data about users and send it to servers they control.
Cybersecurity firm Palo Alto Networks - which has analysed the malware dubbed XcodeGhost - said the perpetrators would also be able to send fake alerts to infected devices to trick their owners into revealing information.
It added they could also read and alter information in compromised devices' clipboards, which would potentially allow them to see logins copied to and from password management tools.
takyon: Affected apps include WeChat, NetEase's music downloading app, Didi Kuaidi's Uber-like car hailing app, the business card scanner CamCard, and more.
(Score: 3, Insightful) by frojack on Tuesday September 22 2015, @05:01AM
Every time an article hits the mainstream press about any kind of flaw in anything Apple, there will be a flurry of articles from all corners of the press revealing horrible and egregious flaws in Android. You can just about make book on it. So google news in three, two, one.....
No, you are mistaken. I've always had this sig.
(Score: 2, Informative) by Anonymous Coward on Tuesday September 22 2015, @05:53AM
Granted. But I think there's more of a story here that you're overlooking. This was first and foremost an attack on developers, who should know better than to grab copies of their dev toolchain from untrusted sources. Nobody with a walled garden seems to have a way to guard against that -- to verify that builds came from clean toolchains. Apple has, according to the article, managed to detect signatures of the malware and pull the problematic builds, contact the devs, and get them to use clean compilers. But, now that the rabbit is out of the hat, how do we guard against similar problems in the future on other platforms?
(Score: 2) by frojack on Tuesday September 22 2015, @06:10AM
Well clearly Apple's malware scanning wasn't up to scratch.
They will reject apps that happen to mention the word Android anywhere in the app, but they never check for basic functionality, and outbound connections? Sure they got duped. Now they need to step up their game, and they have been taught a lesson on how to do it.
None of this is my point. Pretty sure Apple will survive without my advice.
The point I was making is that Apple will put the word out to its fawning press Army which will now swamp the pages to mask out this event in a way that no Android manufacturer would even bother to try.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday September 22 2015, @07:33AM
> They will reject apps that happen to mention the word Android anywhere in the app, but they never check for basic functionality, and outbound connections
That's the basically the halting problem. It is literally impossible for them to catch everything and effectively impossible to catch anything sophisticated until after the fact. Signature matching won't catch a polymorphic virus either.
I expect the toolchain thing gets worse - these guys got hit because they downloaded a compromised toolchain instead of going to the source. Next revision will be malware that infects an already installed toolchain. In fact, I thought I'd already heard about that a few months ago, maybe something the Snowden dumped revealed the NSA had already done? I bet we eventually see something that infects source code for iphone apps.
Its going to get ugly. This may be the start of a sea change in app stores.
(Score: 0) by Anonymous Coward on Tuesday September 22 2015, @04:35PM
Apple's fawning press army doesn't read Soylent. So forget about them, let the pain pass, and talk about tech instead of marketing. We who read Soylent are people who build, not people who sell, so it behooves us to spend more time thinking about how we make our builds verifiable and how we make our source code verifiable, than worrying about the avalanche of press-release-turned-story and asroturf that we already know will suffice to draw in page-views to advertising circlejerk of the "news" sites.
The first step to getting past the bullshit is fixing your sights on what is more important, like security best-practices.