The lesson to be learned is that you can't trust Chinese businesses, not without some research into their business practices anyway. But that's basic internet common sense isn't it?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple to Alert Users Who Installed Apps Compromised by XcodeGhost
- Thread starter MacRumors
- Start date
- Sort by reaction score
I thought Apple had that controversial app kill switch? http://www.macworld.com/article/1134930/iphone_killswitch.html
Are they just not using it here? I thought this was what it was for...
Are they just not using it here? I thought this was what it was for...
There was no way that Apple was ever going to catch every single program that had security issues. It was going to happen eventually.
I'm certain there are others in the App Store with other issues (just playing the odds). I'm also thinking there are less than in some of the other app stores (being hopeful).
Gary
Well, more precisely, that you can't really trust any business that isn't operating on some system of objective morality. Some societies and cultures are more likely than others to be based on such thing... and in the West, this quality is in rapid decline. If current trends continue, the question will be *when* the Chinese will pass up the US in that regard.
How would they do that? It's already been shown in several instances that Apple can't stop Trojan horse apps from getting through. This just looks worse because it was one source tricking numerous developers into delivering the payload for them.
I wouldn't pin this on any one country. Look at the mess Volkswagen just got themselves into. GM let faulty ignition switches keep killing people even after they knew it was happening. Japanese airbags.
Corruption can happen anywhere. It just so happens that a lot of low cost, under-regulated business is happening in China right now. Germany, the US, and Japan don't have that excuse, but they let it happen too. I think it's easy to fall back on stereotypes and say that the events in some countries are "unique" and in other countries it's "endemic" without thinking it through.
Edit: I just noticed you said "internet common sense", which I recognize as being different from actual common sense...
Last edited:
Your response shows just how much FUD is out there. Patch what exactly? The affected developers downloaded a pirated version of Xcode because they didn’t want to wait for the official Apple version. The pirated version has the malware in it and passes it on to the app it compiles. And you do understand that this is almost totally happening in China, not the whole world, right?
Don't wait for Apple, read about it here...
http://researchcenter.paloaltonetwo...passwords-and-open-urls-though-infected-apps/
The source code of the attack is out in the open, so anyone can take a look and assess the potential damage.
Well, this happened as a result of downloading a file from an unreliable source, which to me is under the jurisdiction of internet common sense.
The fact that angry birds and cam scanner was on that list is a huge thing. A lot of people use those apps.
I know I use camscanner often and I also have racked up a lot of hours playing angry birds 2.
I honestly think this is sloppiness on Apples part. One of their selling points of iOS is that the App Store is safe. They should have caught this.
I know I use camscanner often and I also have racked up a lot of hours playing angry birds 2.
I honestly think this is sloppiness on Apples part. One of their selling points of iOS is that the App Store is safe. They should have caught this.
In this case it's been a few days after it was first reported. If, as you say, they think security through very carefully, and have many very competent people focused on the problem, it would probably take a few days to analyse and assess the issue themselves from the report.
OH. Well. Is this true for the other apps? Were they all Chinese store only? I assumed that their dev house was just in China and making all versions with built-in language support for different regions.
I'm not sure people really understand what happened here and how it would have been nearly impossible for apple to prevent it. Some developers had the malware INSTALLED into their DEVELOPMENT environments due to their own lack of good security practices. They then compiled the malware into their apps which they uploaded to apple. Apple can't magically know if there is a part of someone's app that is "malware" as opposed to expected behavior. Once the malware was discovered, Apple knew what signature to look for in other apps and applied that filter to find other apps with the same issue.
If anything, this shows how important the closed apple store ecosystem is because Apple was able to recall all the bad apps whereas in an open ecosystem (I'm looking at you Android) those malware apps would be out there forever. People don't like the idea of closed/managed ecosystems even though they are obviously much better for the average user.
If your ever had the expectation that Apple can prevent all possible problems, you now know better. No one can prevent all attacks especially when people are involved in the process. It has been proven that you can hide latent attacks in compilers that are nearly impossible to discover. Fortunately, compiler writers are pretty good about policing their source.
If anything, this shows how important the closed apple store ecosystem is because Apple was able to recall all the bad apps whereas in an open ecosystem (I'm looking at you Android) those malware apps would be out there forever. People don't like the idea of closed/managed ecosystems even though they are obviously much better for the average user.
If your ever had the expectation that Apple can prevent all possible problems, you now know better. No one can prevent all attacks especially when people are involved in the process. It has been proven that you can hide latent attacks in compilers that are nearly impossible to discover. Fortunately, compiler writers are pretty good about policing their source.
I want Tim Cook to Yell at somebody over this... Yell with strong language!!
I think Apple has enough money to terminate the apps and developers involved.... If only shock troops in white armor wasn't already owned by Disney...
I might be mistaken but reading the words carefully reveales what it actually is and what I remember the story to be about: A kill switch in the App Store, not a kill switch for each and every app itself. Just for the store. And as the app store is basically an HTML wrapper, the kill switch does nothing else than hiding a potentially malicous app in the appstore, or stopping any download immediately. Not more. And that is what Apple has been doing the past few days: Sealing off the potentially malcious apps.
When an app has already been installed though... too late.
Somebody may correct me if I am wrong. But the truth is probably hidden within apples security walls. Luckily.
Seems to be a killswitch related to an application blacklist, so it seems to be more related to doing it for particular apps than the App Store, so that it would also affect installed applications.
Oh ok. While I get there is a certain arrogance to staff at an Apple Store -- how bout try and sit in this companies shoes for a day...
It's gone thru EXPLOSIVE growth in a very short period of time -- it's gone from a core customer oriented company ( I think that's what you miss ) to a company that now serves the mass market.
I'm sure you get the difference and the challenges they faced just because they became incredibly popular and continue to grow. Imagine the sheer amount of customers that literally attempt to scam them -- from trying to get their phones replaced for free because "they" wrecked it -- to free screen replacements because you dropped your iPad... See what I mean? You just expect that "nice" Apple should just say "yes" and play nice... Honestly the mass market public is generally pretty slimy at times so Apple being a mean "cop" per say is part of the territory..
Let me take this further... Where else can you go.. Where ? Where there's Phone support? In store WALK IN repairs, FREE SOFTWARE UPDATES ROUTINELY, replacements, exchanges, mail in repairs, chats, return calls, senior engineers giving out their private numbers etc etc etc. Apparently you've NEVER dealt with DELL, HP, ADOBE, GOOGLE, UBER, oh whatever -- I mean seriously folks... This company sold a QUARTER BILLION IPHONES in a YEAR.. Do you honestly -- honestly *think* that that kind of growth is not going to come at some expense to someone? Seriously. Apparently perfection is the only reality some of you will accept today. Can you only imagine the literal assault this company takes everyday to its security??????
Really.
Failed? I missed where YOU were directly impacted.. I wasn't.
Im certain APPLE is protecting us more than any of us want to know...
Do you really think that APPLE, GOOGLE, SAMESONG, MICRO$OFT, etc arent the target of endless security attacks every second of everyday????
If you don't -- your not living in the REAL WORLD..
If you've put all your faith in private corporations to ensure your safety and security -- I wish you well!
According to Apple's info, it appears to have been just an annoyance without vital/critical info having been passed on:
"Relevant portions of the Apple FAQ for users:How does this affect me? How do I know if my device has been compromised?
We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used.
We’re not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords.
As soon as we recognized these apps were using potentially malicious code we took them down. Developers are quickly updating their apps for users.
Malicious code could only have been able to deliver some general information such as the apps and general system information.
Is it safe for me to download apps from App Store?
We have removed the apps from the App Store that we know have been created with this counterfeit software and are blocking submissions of new apps that contain this malware from entering the App Store.
We’re working closely with developers to get impacted apps back on the App Store as quickly as possible for customers to enjoy.
A list of the top 25 most popular apps impacted will be listed soon so users can easily verify if they have downloaded the latest versions of these apps. After the top 25 impacted apps, the number of impacted users drops significantly.
Customers will be receiving more information letting them know if they’ve downloaded an app/apps that could have been compromised. Once a developer updates their app, that will fix the issue on the user’s device once they apply that update."
I wasn't only talking about this case, there have been a number of cases where Apple was made aware of vulnerabilities and reacted far too slowly-- measured in months.
Once an article goes up saying "there's a fraudulent compiler in the wild", I don't think it would take long to verify that and start taking action. It only took Palo Alto Research a day or so to work out what was going on. At the very least notify the developer community that this is happening, ask devs to report if they are using a shady compiler, pull those apps, give approval priority for updates to those apps, and all the while work with your developers and your internal security experts to figure out what the extent of the damage is.
If all that came of this is that someone stockpiled uuid's, then that was the best possible outcome. They should be treating every breach as though it exposes their customers identity and bank account because one day it will.
Doing that would have led to some tough questions that they wouldn't have been ready to answer though, like "can this happen again?"
LOL
Actually, I think they have been handling this particular incident fairly well, aside from maybe understating the potential from a PR perspective (which pretty much any big company is going to do).
And I agree in that I wouldn't be opposed to them taking some fairly strong action against developers who downloaded this from a 3rd party source... if you're doing that kind of stuff, you should be in the business.
I guess my concern, though, is more the preemptive big-picture, for which they could actually do a good bit more. But it doesn't have much of a direct connection to this issue in particular. This kind of thing is fairly hard to prevent.