Apple to Alert Users Who Installed Apps Compromised by XcodeGhost

[Tech198]

This could be Apple asking for it...

If Apple actually wanted to verify, why do let the user do it...and and after install xcode themselves?

Even if Gatekeeper is turned off for reasons, Apple stills should have built in technologies to verify only their software before installing..

This way third party software isn't affected, but if it's not signed by Apple, yet has the same file name, it will be blocked from installing.

I bet Apple could do something like this in the future.

 

[69Mustang]

{shortened rant}Apparently you've NEVER dealt with DELL, HP, ADOBE, GOOGLE, UBER, oh whatever -- I mean seriously folks... This company sold a QUARTER BILLION IPHONES in a YEAR.. Do you honestly -- honestly *think* that that kind of growth is not going to come at some expense to someone? Seriously. Apparently perfection is the only reality some of you will accept today. Can you only imagine the literal assault this company takes everyday to its security??????
Really.

We're consumers. We, for the most part, don't care. We being the general public, not techies. Apple's systems aren't assaulted any more or less than any of those other companies you mentioned. They jumped relatively quickly to start remediation. As they should. Apple touts privacy and security as hallmarks of their products. They make it a very important part of marketing their products. When it fails, some people are going to be disappointed. Disappointed people sometimes level criticism. Yeah, some of it is hyperbolic, but no more hyperbolic than some of the apologist statements made by others. In the end, it really won't matter. We live in a world with the collective attention span of a goldfish with alzheimers. Something else will hit the news cycle and this will be nothing but a distant memory. No need for caps lock.

 

[JohnPhamlore]

What channel is Apple going to use to communicate with their customers?

 

[subsonix]

Once an article goes up saying "there's a fraudulent compiler in the wild", I don't think it would take long to verify that and start taking action. It only took Palo Alto Research a day or so to work out what was going on. At the very least notify the developer community that this is happening, ask devs to report if they are using a shady compiler, pull those apps, give approval priority for updates to those apps, and all the while work with your developers and your internal security experts to figure out what the extent of the damage is.

The first reference to this was four days ago afaik, personally I don't think that is too long.

 

[SteveW928]

According to Apple's info, it appears to have been just an annoyance without vital/critical info having been passed on:

"Relevant portions of the Apple FAQ for users:How does this affect me? How do I know if my device has been compromised?
We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used.

We’re not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords.

As soon as we recognized these apps were using potentially malicious code we took them down. Developers are quickly updating their apps for users.

Malicious code could only have been able to deliver some general information such as the apps and general system information.

Is it safe for me to download apps from App Store?
We have removed the apps from the App Store that we know have been created with this counterfeit software and are blocking submissions of new apps that contain this malware from entering the App Store.

We’re working closely with developers to get impacted apps back on the App Store as quickly as possible for customers to enjoy.

A list of the top 25 most popular apps impacted will be listed soon so users can easily verify if they have downloaded the latest versions of these apps. After the top 25 impacted apps, the number of impacted users drops significantly.

Customers will be receiving more information letting them know if they’ve downloaded an app/apps that could have been compromised. Once a developer updates their app, that will fix the issue on the user’s device once they apply that update."

Most of it sounds like not too big of a deal.

But, my understanding is that it would enable a phishing attack type situation where the malicious app could pop up a dialog and take input. In other words, they could pop up a message that looked like one of Apple's asking for your Apple ID or iCloud password.... which Apple has trained us happens quite often in various apps lately. So, a lot of people would probably enter it.

I'm not sure if they had that and some other info available, they'd have access to your Apple account. That's not a good thing at all... and if that's the case, that's kind of not what Apple is inferring with their FAQ.

 

[Analog Kid]

The first reference to this was four days ago afaik, personally I don't think that is too long.

Story broke on the 16th, it appears. This wasn't a hypothetical vulnerability, it was a live exploit that they were distributing through their own curated portals around the world. If it was wire transferring funds to Somali banks, or bricking phones, 6 days is a long time. I think it doesn't feel too long because nothing horrible seems to have happened this time around.

Maybe there was more going on than I've seen, and maybe they knew it was of little consequence, but I'd have liked to see things move more quickly and loudly. If they respond aggressively to the little things, I'm more confident that they'll respond aggressively to the big ones.

 

[subsonix]

Story broke on the 16th, it appears. This wasn't a hypothetical vulnerability, it was a live exploit that they were distributing through their own curated portals around the world. If it was wire transferring funds to Somali banks, or bricking phones, 6 days is a long time. I think it doesn't feel too long because nothing horrible seems to have happened this time around.

Just a minor correction, the date on the post says 17th.

Maybe there was more going on than I've seen, and maybe they knew it was of little consequence, but I'd have liked to see things move more quickly and loudly. If they respond aggressively to the little things, I'm more confident that they'll respond aggressively to the big ones.

I see what you are saying, on the other hand it makes sense to adjust the response to the severity of the situation. If I have to choose between fast and aggressively and a bit slower and thoughtfully I'd pick the last option.

 

[ulyssesric]

Apple should have caught the infected apps before approving them, but perhaps the main lesson to be learned here is to take great caution when downloading an app from a third-party server. In particular, download Apple apps from Apple only. This was easily avoidable and unwise developers created a huge mess.

Technically the injected codes had done nothing "bad". It's still under Apple's restriction that can't savage your system nor access anything you have not permitted. Besides, an App *IS* supposed to collect data and send back. Apple have no way to recognize whether you intentionally designed your App with such behavior, unless you've declared your App in networking-less type, such as flashlight.

The only "problem" is that the creators were unaware of such behavior. However, it's the developer, not Apple, is responsible for the Apps to behave as expected. Apple's responsibility is to check whether there is any illegitimate usage in codes and contents, and these XcodeGhost injected Apps did not violate anything.

 

[Analog Kid]

Just a minor correction, the date on the post says 17th.

I see what you are saying, on the other hand it makes sense to adjust the response to the severity of the situation. If I have to choose between fast and aggressively and a bit slower and thoughtfully I'd pick the last option.

Yeah, the post I linked is dated Thursday the 17th, but it starts with "On Wednesday, Chinese iOS developers disclosed a new OS X and iOS malware on Sina Weibo. Alibaba researchers then posted an analysis report on the malware, giving it the name XcodeGhost." Assuming they mean the Wednesday before the Thursday it was posted, then the story broke on the 16th.

I'm all for a measured response, but I'm not sure how you know the severity until you've responded and fully understand what you're dealing with. In the mean time I think they could have been more vocal and proactive.

A compromised compiler is much like black smoke over a city-- you may not know exactly what's happening, or how big a deal it will be, but it's got no business being there, it's almost certainly not good, and you're already behind. That's why fire departments rarely take a wait-and-see approach.

Apple's systems have been remarkably secure and a lot of that is good design, but they can't be perfect and I don't expect them to be. What I do expect though, is for them to be vigilant.

 

[MH01]

Sounds like it's being handled...

They are letting people know they are on the list, what would you have them do?

Gary

Given this happened a while ago, and people are still waiting for a list of affected apps and using them..... I'm not sure this is being handled that well.

All infected apps should have been pulled from the AppStore as soon as apple became aware, having them be replaced with updated apps leaves the users vulnerable, though creates an illusion all is fine....

I'm more concerned more people could join that list, cause the apps have not been disclosed .

 

[SteveW928]

All infected apps should have been pulled from the AppStore as soon as apple became aware, having them be replaced with updated apps leaves the users vulnerable, though creates an illusion all is fine....

Actually, I think pulling them from the store does nothing besides keeping new people from downloading them. To fix the issue, a fixed update needs to be released and the person needs to update. All the people with the bad version of the app who don't update will keep the problem no matter what Apple does, unless Apple can somehow 'patch' the problem at a lower system level.

 

[inkswamp]

For those of you complaining about what a supposedly bad job Apple does with security, consider the fact that (despite years and years of developers and users whining about it) Apple has maintained a very strict sandboxing policy with iOS apps. Apps can't just arbitrarily peek into the business of other apps or tweak system settings or install other apps or read any information from any part of the system they want. Hell, they can't even run in the background without restrictions imposed by the OS--yet another thing people have complained about.

Yes, this security breach was a big problem but it was more or less neutered by Apple's attention to detail and preemptive planning. This vulnerability couldn't be turned into anything more harmful than a theoretical phishing attempt (something, I should point out, that can be done with Safari and Javascript as well so... you know, those of you who are so upset by this probably shouldn't use Safari on iOS anymore.)

I'd say the fact that such a shockingly large breach of the App Store was headed off by numerous other security measures put in place by Apple should be reason for praise. Instead, some of you seem determined to turn this molehill into a mountain no matter how irrational that is.

 

[MH01]

For those of you complaining about what a supposedly bad job Apple does with security, consider the fact that (despite years and years of developers and users whining about it) Apple has maintained a very strict sandboxing policy with iOS apps. Apps can't just arbitrarily peek into the business of other apps or tweak system settings or install other apps or read any information from any part of the system they want. Hell, they can't even run in the background without restrictions imposed by the OS--yet another thing people have complained about.

Yes, this security breach was a big problem but it was more or less neutered by Apple's attention to detail and preemptive planning. This vulnerability couldn't be turned into anything more harmful than a theoretical phishing attempt (something, I should point out, that can be done with Safari and Javascript as well so... you know, those of you who are so upset by this probably shouldn't use Safari on iOS anymore.)

I'd say the fact that such a shockingly large breach of the App Store was headed off by numerous other security measures put in place by Apple should be reason for praise. Instead, some of you seem determined to turn this molehill into a mountain no matter how irrational that is.

This should be a lesson to everyone that you cannot be complacent. Apple like everyone can be targeted in is day and age. The worst are the people that downplay the dangers and believe that apple is outside the reach of hackers and malware .... No company is!

 

[Liron]

Why only the top N apps infected?! Shouldn't they list and take down all the apps infected? I don't think there's any reason to protect the developers here-- they made a grave error and should be accountable to it.

Why are they only sharing this information in China-- some of those apps are used globally.

Why did this take so long to provoke a reaction? When this report first came out 6 days ago, Apple should have sounded an internal alarm and gotten information within hours that would lead to action the same day.

I get that this isn't the end of the world, it's most likely a minor trojan that was mostly likely thwarted by Apple's security design. Still, it shouldn't be taken this casually. I don't care if the big picture impact is minimal-- we rely on App Store review to protect us from this nonsense, and it was circumvented because someone created a rogue version of an Apple branded product. I'd feel much more comfortable if Apple had moved on this more aggressively.

i think it's shouldn't take that casually as well, but on the other hand, it's have been affected mostly those that have been unlock there phone. those who've stay loyal to apple and didn't unlock the phone probably stayed safe. more then that, i do agree that apple have been open the system a bit too much for developers and that is one of the consequences.

 

[nutjob]

I think that's a bit unfair. Apple software is remarkably secure, and they do take a lot of proactive steps to keep it that way. Sandboxing, code signing, GateKeeper, App Store approvals, etc all get a lot of resistance when they come out, but have had a positive affect on security.

What bothers me a little bit is that they really don't respond quickly to outside reports of vulnerabilities until they threaten bad press. I almost think they think security through very carefully, and have many very competent people focused on the problem, but suffer from some arrogance induced blindness.

How is it unfair when they review each application destined for the store? That now seems ineffectual or not security related, as Apple claims.

 

[Salvor Hardin]

I just got a update for Winzip with the description "Addresses security issues related to XCode. It is recommended that all users install this update." I haven't used that app in well over a year so I'm not particularity worried but still how did the official Winzip developer fall for this?

 

[Shirasaki]

Wasn't Angry Birds 2 on the list? If it was infected, I'm pretty sure Apple is going to have to do something beyond posting something to their Chinese website. My sister had CamScanner installed which lets you take images of documents and turn them into PDFs. I also had Mercury Browser installed, although I think there has been some confusion as to whether or not that was the app that was affected.

Isn't Apple supposed to have a kill switch for these situations? Seems like it would be a good time to pull that lever.

Well, if a Chinese user gets up and find his/her "beloved" WeChat is gone with no apparent reason, I guess that user would feel really shock and think their phone is surely hacked, which is capable to remove apps when sleeping.

 

[macduke]

Well, if a Chinese user gets up and find his/her "beloved" WeChat is gone with no apparent reason, I guess that user would feel really shock and think their phone is surely hacked, which is capable to remove apps when sleeping.

Which is worse: To know you've been hacked but prevent damage to the user, or to actually be hacked and not know about it? I'd take the "Nuke it from orbit!" approach, but perhaps that's why I'm not the CEO of the largest company on earth. Although if this thing really isn't that bad and I had all the information in front of me I could make a more informed decision.

 

[Shirasaki]

Although if this thing really isn't that bad and I had all the information in front of me I could make a more informed decision.

Well. You are right at this point.
As a conventional user, we know much less than those frontline tech specialists know. However, either us or them, if it is possible to get a full picture of this issue, panic and anxious will decrease dramatically, I think.
I am shocked at the first time I know this info because I use some apps in list actively and I cannot find alternative. After reading more info about this security flaw, I think I don't really need to worry that much about it.

 

[BeefCake 15]

I love my iPhone and iPad and acknowledge that Apple ushered in the age of touch smart phones (sans those horrible little keyboards ... sorry Blackberry users), but I have always hated Apple's arrogant attitude. Go into an Apple store and the cool aid drinking kids who work there just love to gush about Microsoft's horrible products that are all susceptible to virus and other attacks ... they end with heaping praise on Apple products that are allegedly invulnerable and that Apple "protects" its customers. Well I guess this time Apple failed to protect us. Sadly I have a feeling the larger Apple gets, the more products/services they offer, the more distracted their leadership will become.

Have you been to a M$ store lately? They bash any other non-M$ competitor whether computers, Software, Games you name it...I haven't experienced anyone at the Apple Store bashing other beyond them not agreeing it's a good product.

I don't mind them drinking the Kool Aid and liking their products to be honest on both sides because that's what they're supposed to do!

One time me and my friend were playing with the XBox 360 and talking about how great of a system it is but too bad they wanted to only sell digital games etc. Then this eavesdropping associate comes in heavy firing about that decision from M$ was the most amazing thing blah blah...

 

[Analog Kid]

How is it unfair when they review each application destined for the store? That now seems ineffectual or not security related, as Apple claims.

That isn't what I was responding to. I thought your comment that "they didn't really think their security through" was a bit unfair. They clearly have thought a lot about security. I also think it's unfair to say that their app store reviews are ineffectual.

They also aren't perfect. This one obviously slipped through, which is disappointing. It could have been much worse though, if they hadn't thought their security through. They deserve credit for the well layered security they do have, and criticism for missing this vector and perhaps not taking it seriously enough when it happened.

 

[ulyssesric]

I thought Apple had that controversial app kill switch? http://www.macworld.com/article/1134930/iphone_killswitch.html
Are they just not using it here? I thought this was what it was for...

A kill switch is to deactivate one app's certificate, which include *ALL* version of that App. And the XcodeGhost injected Apps are limited to a narrow range of releases. There is no reasons to kill the "safe" versions. It's the users' judgement whether they should further trust those developers who have their tools downloaded from some unknown source.

 

[Shirasaki]

A kill switch is to deactivate one app's certificate, which include *ALL* version of that App. And the XcodeGhost injected Apps are limited to a narrow range of releases. There is no reasons to kill the "safe" versions. It's the users' judgement whether they should further trust those developers who have their tools downloaded from some unknown source.

However, for the target of this wave, Chinese users, if they don't trust Tencent, then they would have no other equivalent choice in market. Literally, they have no choice, whether they want or not, or they will just lock them up.

 

[ulyssesric]

OH. Well. Is this true for the other apps? Were they all Chinese store only? I assumed that their dev house was just in China and making all versions with built-in language support for different regions.

Bad news for your guys. It's confirmed that contaminated version of Unity (4.6.4), originated from the same source, was also released into the wild. And this time iOS is not the only target.

 

[ulyssesric]

Most of it sounds like not too big of a deal.

It is confirmed that XcodeGhost will receive commands piggy-backed from the server response. It's capable to send harassment notifications and send URL request, which may lead to direct download of Apps built with enterprise certificate. Fortunately, these still request user interaction, and iOS 9 will show extra warnings and block these enterprise deployments by default.

However, the biggest risk is what you said: phishing.

But, my understanding is that it would enable a phishing attack type situation where the malicious app could pop up a dialog and take input. In other words, they could pop up a message that looked like one of Apple's asking for your Apple ID or iCloud password.... which Apple has trained us happens quite often in various apps lately. So, a lot of people would probably enter it.

Phishing attack is not limited to XcodeGhost, and iCloud is not the only target. There is no good way to stop these attacks other than passive blacklist, since it can't be caught by scanning codes. The message contents of notification dialog is not hard-coded but received over internet.

Apple could force fingerprints to be scanned by default for all kind of iCloud certifications. However, they still can't stop phishing attacks targeting different services, such as Battle.NET. Suppose that an contaminated 3rd party "Hearthstone Deck Simulator" app is asking for your Battle.NET account, will you ever be suspicious of it ?