It seems that the Apple China has an incompetent agent in charging of the developer communications. I am sure a lot of developers have complained to Apple about the slow speed before this, and all of the complaints had been disregarded.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
What You Need to Know About iOS Malware XcodeGhost
- Thread starter MacRumors
- Start date
- Sort by reaction score
It seems that the Apple China has an incompetent agent in charging of the developer communications. I am sure a lot of developers have complained to Apple about the slow speed before this, and all of the complaints had been disregarded.
Perhaps what Xcode should do is include an option to compile "for final release" (regular testing compiles would happen on the device) which uploads the code via HTTPS to apple's servers (with App store credentials) to be compiled with a known standard version of Xcode in the cloud and signed with one of apple's private keys. They could take this a step further and make this option "deploy to app store" which takes your developer credentials, source code, developer certificate and uploads the whole package for remote inspection, compile and submission to the app store. This could even allow for better app inspection, right now apple doesn't see your source code, with this procedure they could.
perhaps apple could also scan the code for any IP network communication commands to static hosts/IPs and possibly require that the developer provide some sort of evidence that they "own" those Hots (i.e DNS toke etc...)
I.e. If the app includes a keyloger, it will likely include some standard IP communication to some fixed host to upload this data.
-----------------
Not sure how else to do this: Apple already signs xCode, which alerts the user (developer) to the fact that the software they are installing is not signed(forged or bad); however it appears that these developers bypassed that warning.
what else can they do? They could include the Xcode certificate with the app, but that is a PUBLIC cert, so the compromised Xcode app could just include that as well. If xcode somehow tried to "Sign" the code, it needs a private key, if that key were included with the Xcode binary, then it won't be long before that key is discovered.
the ONLY way I see this being prevented is the cloud solution mentioned above
perhaps apple could also scan the code for any IP network communication commands to static hosts/IPs and possibly require that the developer provide some sort of evidence that they "own" those Hots (i.e DNS toke etc...)
I.e. If the app includes a keyloger, it will likely include some standard IP communication to some fixed host to upload this data.
-----------------
Not sure how else to do this: Apple already signs xCode, which alerts the user (developer) to the fact that the software they are installing is not signed(forged or bad); however it appears that these developers bypassed that warning.
what else can they do? They could include the Xcode certificate with the app, but that is a PUBLIC cert, so the compromised Xcode app could just include that as well. If xcode somehow tried to "Sign" the code, it needs a private key, if that key were included with the Xcode binary, then it won't be long before that key is discovered.
the ONLY way I see this being prevented is the cloud solution mentioned above
The problem is HOW does apple tell that you compiled with an actual copy of Xcode? Apple could turn off the option of installing unsigned apps on the Mac, but that would be a big issue.
Apple could make Xcode include Xcode's OWN signature in any compiles, but that is a public cert which could easily be copied by a malicious Xcode app.
Perhaps,(a big perhaps) the OS could somehow hook into the build process and flag if the Xcode app has a valid signature, BUT then you could just hack the OS to falsify that bit.
I can't think of a way to prevent this without using a cloud compile solution.
I'm not sure how I missed this on my first read through the comments... but excellent point which can't be overemphasized.
This is similar (though even more dangerous) than the trend I've been writing against of using social media accounts to single-sign-on to everything from soup to nuts. It's training users into being phished by having 3rd party (or things not 100% sure from the legitimate source) ask for credentials.
Not to defend such behavior, things can be slow enough that to DL it directly from Apple, it can take many days more, or perhaps even never. For any business, time is money.
Dunno, but the question is also if it's in their interest to do so.
Do you have a suggestion on how to prevent this? Other than uploading your SOURCE CODE to apple for remote compile I see no way to combat this, and even then a developer could always intentionally include malicious code. But the beauty of the IOS and app store ecosystem is that:
1) A Malicious app is very limited to what it can access, it can't scan my storage looking for data, it can't remote control my device, or make calls or send texts, it can't infect other apps (virus), it can't packet sniff my web traffic, etc...
1a) Look at the data they could get, my device name? my UUID? not ideal but very limited attack vectors there.
1b) It's only reasonable attack vector is phishing, which is bad, but a website could equally do that.
2) The app store allows apple to quickly identify the developers affected by this and get fixed versions out quickly.
2a) On a typical OS, like, windows applications can pretend to be from anyone, and good luck trying to trace back some small-time app to an actual developer
I think this is one of those "do the right thing" moments for Apple. They can either put out an official list of apps they know were impacted by this so users know they may have been "infected" and can take precautions. Or they can not do so, and by so doing provide cover for the developers that were involved.
I am hoping Apple does the right thing here, but I have to say I am a little disappointed it is now Monday evening and we have no list of apps from Apple.
If I am off base here and someone has seen a list from Apple, please correct me.
Get you guys some heads-up:
Something called: UnityGhost
The guy who distributed the modified Xcode, also uploaded different versions of Unity from v4.6.4 to v5.1.1. Yes, you are correct, the Unity Game Engine.
http://drops.wooyun.org/papers/9024 check, if you know chinese.
Something called: UnityGhost
The guy who distributed the modified Xcode, also uploaded different versions of Unity from v4.6.4 to v5.1.1. Yes, you are correct, the Unity Game Engine.
http://drops.wooyun.org/papers/9024 check, if you know chinese.
Well, Apple typically just goes (or remains) quiet about this kind of stuff... attempts a fix... and hopes it all just goes away.
And this, kids, is why you always obtain the software from the original developer, in this case, Apple.
Just because something happened (it was going to happen and will happen more) don't mean they aren't more secure.
My worry is that if these apps got through the investigation process, which other ones also through...
Gary
(# of total vulnerabilities, least to most)
Microsoft Windows : < 50
RIM Blackberry: ~ 60
Google Android: 54
Apple IOS: 692
sources: https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224
https://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49
Microsoft Windows : < 50
RIM Blackberry: ~ 60
Google Android: 54
Apple IOS: 692
sources: https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224
https://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49
You must mean: "And this, developers, is why..."
In this case, the end users did obtain tainted software from the original source, the Apple App Store.
Speaking in general, and not about apps at all, it really began a long time ago. Back when I had the tv set looking imac and was on pantherOS, I remember checking the IPs that was accessing the computer. Found out one of them was "military". If I blocked it, no goodies. So if this was set up then, no telling what has been going on since then. There really is no privacy anymore at all like Snowden said. So our main worries are others that want to steal our credit/accounts.
The fact that, like someone said, use code that may go through too many hands making various parts of apps before the developer gets them...geeze...! Yes, scary.
You would think Apple would have a better QC process. However, I am not a programmer, and it sounds like this area is prone to potholes of the dangerous kind.
You forget one thing: 3rd-party libraries and frameworks, such as Unity. If the developer had included any breached 3rd party library, his App would still be injected.
There're hundreds of thousands of user created libraries out there and it's virtually impossible for Apple to prepare all these libraries on its cloud compiler. It's not even possible for Apple to make a whitelist for these 3rd party components.
It's not the first time that some 3rd party libraries were found to be vulnerable, or even breached, and a bunch of Apps were affected. Basically XcodeGhost is also a 3rd party library attack, since the hacker had done nothing but modified the default project template, to preload a block of codes before the "real" codes being executed.
Technically, XcodeGhost doesn't do anything "bad". An App is supposed to collect user data and send back for analyzing, especially for these which use internet services extensively. The only problem is that the customers, as well as creators, were unaware of such behavior.
Thanks to Apple's hysteria on privacy, these "malicious code" must still follow Apple's rule. It still can't savage your system, insert any executable. nor access anything you have not permitted. It can only collect very restricted, semi-anonymous information from your phone, without further permission. Now we all know why Apple behaved such a control freak.
have any one come across anything like this.
my iPhone is effected by this malware i guess.There is one app without any name which i can not delete, its showing 447 MB in storage menu
.
I installed Musical.ly last night and that is when i noticed this uninstallable file which i guess downloaded along with the app. i dint knew this app is malware infected
my iPhone is effected by this malware i guess.There is one app without any name which i can not delete, its showing 447 MB in storage menu
.I installed Musical.ly last night and that is when i noticed this uninstallable file which i guess downloaded along with the app. i dint knew this app is malware infected
Last edited:
I had an app from the same developer on my windows phone, and I deleted it for this reason.
I'm not surprised at all.... But someone think I'm harsh about Chinese ....
I'm really pissed off with developers regarding this. It's not the fault of Apple that moron developers download Xcode (a free program), from torrent sites and dubious websites.
Anyway, I was unfortunately using one of the affected programs. iOBD2 which I used to connect to my car for engine diagnostics.
I paid £14.99 for the app, so not cheap but after contacting Apple, they've very kindly given me a full refund.
If anyone is affected and they've paid for the app, I suggest you all do the same. I don't see why I should pay a developer for a dodgy app.
Anyway, I was unfortunately using one of the affected programs. iOBD2 which I used to connect to my car for engine diagnostics.
I paid £14.99 for the app, so not cheap but after contacting Apple, they've very kindly given me a full refund.
If anyone is affected and they've paid for the app, I suggest you all do the same. I don't see why I should pay a developer for a dodgy app.
Apple maps fiasco,
iphone 5 battery problem recall,
iphone 5c failure,
ios 7.1 icons re-color,
shift key confusion,
Apple watch failure,
Macbook pro display recall,
iphone 6+ camera recall,
now XCODE Ghost
Apple is surely not "reliable Apple" anymore. Its just about market share and make money
Very sad to see new Apple
Power Mac Cube hairline cracks
Old PowerBook powerbrick exploging
iBook and Powerbooks battery recalls
PowerMac G5 coolant leaks
iPhone 4 antennagate
I could go on and on, the thing is there is no product without defects (not 100 of the unit shipped will ever be perfect and no company is exempted, Apple is reliable as it was before .... but 10% of 10 units of product A is 1, 10% of a million units is 100.000 of product B.....the percentage is the same, guess what product is gonna have more complains on the web? Does that make product B worse than product A? (I for one believe that product B is better.....same ammount of % issue but witha larger production....)
Strange enough, I can't find Mercury browser anymore in the list of bought apps in the store !!!!
I used that browser for more than a year!
my iPhone is effected by this malware i guess.There is one app without any name which i can not delete, its showing 447 MB in storage menu
...
I installed Musical.ly last night and that is when i noticed this uninstallable file which i guess downloaded along with the app. i dint knew this app is malware infected
Probably some other malfunction and a coincidence you're seeing it now. The malware isn't a separate app, it's just a small bit of code inside infected apps. It hasn't been found to be able to create uninstallable files or any scary weird stuff like that. It can only do stuff normal apps can do.
That is precisely why I hate looking for some guides on iOS development and they say "use this, get this library, do that blah blah". I am the type of coder that wants to do everything myself. For many reasons.
The only thing I use like that is MonoGame and Xamarin. Everything else I do by hand.
Apple has to be right 100% of the time. These snakes only need to be right once. Don't blame Apple!