Once target is on users, on human, technology could do just little help for it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple to Alert Users Who Installed Apps Compromised by XcodeGhost
- Thread starter MacRumors
- Start date
- Sort by reaction score
(I thought they were pulled?)
Regardless, if Apple deletes them from the app store they stay on the users phones. Updating them will remove the issue (as long as users update).
It'd be nice if Apple just replaced the apps with new ones that just say "App being updated" to get them off the phones, I'd rather have that than a list of apps, just update my iTunes and phones and the issue is gone.
Gary
How can you say that when they left such a huge gaping hole and their systems didn't detect it? What's the point of reviewing an application if it doesn't actually work? You're saying they did lots of things right but how is that relevant when they also got it so wrong? I guess if FedEx tells you "it was on time right up to the last day" and then was a week late, you'd be ok with that because they did really well until that last day.
"Close enough" is not good enough for a company that strictly controls your device and the applications you can install on it. Users are denied freedom and functionality in the name of security, but now we know that Apple doesn't care that much about security and that they're mostly interested in control.
I'm not sure I'd call it a huge gaping hole.... this could happen on any kind of computer or device with an OS and apps built by 3rd parties where code libraries are involved.
As for reviewed... yes, they review the apps (which is WAY better than un-reviewed!!!), but that doesn't mean they will be able to catch everything.
As to your analogy... FedEx has actually been late with deliveries. But, their goal is to be on-time, or at least far superior in that regard to their competition. Apple strives to be far superior in terms of the user-experience and security. That doesn't mean stuff won't ever happen.
Where they fall short, IMO, is in how loose they've gotten with their dialogs that ask for credential. If that were more contained, this particular threat would be mostly a non-issue. (i.e.: if you were playing Angry Birds 2 and a dialog popped up asking for you to login to iCloud, you'd know it was bogus.... not so much anymore.)
Unity? Oh joy...
Would you mind including links to your sources on some of this information-- it would save some people some Googling if you've already got a URL.
Doesn't Apple have the ability to blacklist certain IP addresses? I thought that was part of their background security updates... The command and control servers are known.
I think you're missing what is in Apple's power here. They can analyse all the code and identify pretty much anything they like in terms of API usage and the like. Applying that to security thoroughly is a no-brainer, but Apple had other priorities it seems.
Apple has given itself a lot of power and it hasn't used it for security, that much is clear.
Just because there has been a security issue of some sort (and not necessarily a clear breach at that) doesn't mean that security hasn't been a priority or something that has been essentially ignored. Many things can be better, especially things that in their nature can't be perfect no matter what, but that on its own doesn't mean that they were horrible to begin with.
Sure, but that's all in Chinese.
http://drops.wooyun.org/papers/9024
Sorry it's too long for me to translate. Also don't count on Google Translate, that's only rubbish when dealing with Chinese.
Blacklist only works with domain names, not IPs. Since there are reverse proxies or CDN services like Akamai. If the app resolves domain name, makes raw TCP connection, and deals HTTP transactions all by itself, Apple had no way to stop that.
Besides, blacklist is also a passive clean-up approach. You can only blacklist someone after something goes wrong. But people are asking Apple to see through the crystal ball to prevent bad things from happening. I don't know how others might think, but it sound like 'Minority Report' to me.
Let's see what kind of APIs XcodeGhost is calling.
First, it collect user data.
Second, it packs user data.
Third, it sends user data to some server via HTTP.
Wow! We just found there is exactly one suspicious app that will do such things every few minutes (or seconds): Facebook! Hurry to remove it from your system!Let's see what kind of APIs XcodeGhost is calling.
First, it collect user data.
Second, it packs user data.
Third, it sends user data to some server via HTTP.
You're wrongly assuming that Apple can't differentiate the legitimate data streams. It's actually trivial.
No, it means that Apple's security testing and their reviews are ineffectual. Apple are supposed to be good at what they do, not incompetent at something so important.
Again missing something doesn't on its own mean that many other things haven't been caught and that what they have been doing has been ineffectual or incompetent.
So when your expensive surgeon tells you "yeah I cut out all the cancer, oh except a bit I missed" you'll be ok with that, even though you're going to die as a result.
I get your point but it moot. It makes no difference when you can't trust Apple's security and you pay a huge premium for the phone.
Not really an analogy that describes the same concepts. If police exists to deter and deal with crime but crime still exists does that mean that that's it, they are incompetent and have always been worthless and things would be the same if they weren't even there?
Last edited:
Yes, exactly. It's like the police give everyone tickets for going 1 mile per hour over the limit but they let people get away with murder. Apple harshly limits the phone, but where is the promised benefit?
Excatly! This was was my first thought when the news broke about this. Apple keeps claiming they keep iOS closed because it provides better security because they can't control the content that gets approved. But nasty malware still winded up on their super secure OS.
Because iOS is so popular. Apple should consider after this allowing us to have more control of our iPhone experience.
Or more like police getting people for speeding as well as theft as well as assault as well as murder, but not necessarily catching every single one of those. Surely that way way better than no policing at all and doesn't even come close to meaning that the police is completely incompetent and useless.
Well in this case the police are more like the Stasi, since Apple controls everything, and still people get away with murder.
If you want to apologize for Apple or you think this is inconsequential that's your right, but my point is it flies in the face of what Apple has said and the harsh restrictions they implement.
So because I don't think what they have been doing is just completely inconsequential and they are just worthless, that means they didn't screw up here and could have and should be doing better? That's some black and white approach the the world where most things fall in-between.
I didn't say that at all. Apple's control is extreme: you can't install any software that they don't approve. Yet their security was defeated by a simple, obvious attack. That's my point. You're saying, well, they did catch some stuff. I'm saying that's fine, but Google also catch some stuff and they do it without this draconian control over the device.
You're point seems to be a direct apology for Apple: they did catch some stuff... leave them alone!
Funny, your words were exactly "ineffectual" and "incompetent" when it comes to "what they do", and yet you are trying to say you didn't actually say that. Yet nowhere in what I said were the words "apology" or "leave them alone" or anything else of the sort that you are saying I'm saying. That's a rather good disconnect with plain reality there.
LOL! Nope I just said I didn't go to the extremes that you claimed I did. I said Apple's security measures are ineffectual and incompetent (if I used those words) because the evidence is clear: their security was breached.
And you don't have to use the word "apology" since you're constantly arguing that Apple hasn't done anything wrong, even in the face of a story that shows the security that owners of iPhones have given up so much for doesn't actually work.