Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
What You Need to Know About iOS Malware XcodeGhost
- Thread starter MacRumors
- Start date
- Sort by reaction score
Very true, I mean there is really no way I can think of for apple to prevent this (the cloud Idea was all I came up with and as you pointed out, it's not really feasible)
Perhaps all 3rd party libraries that will be supported on IOS need to be submitted to apple and signed by the original developer with their developer credentials, so any app uploaded for compile, would either use a "standard" well know library produced by a known developer OR a custom library from the app developer itself again signed by that developer.
Then if an legitimate app developer were to use a 3rd party library Xcode could check the signature with apples repository and alert the user whether a known good library is loaded or not. Of course a malicious app developer could still simply use or create a bad library, but this system would hopefully help prevent one bad library from affecting many developers unknowingly.
Not sure if this has been brought up by in 2013, researchers at Georgia Tech were able to get malware into the App Store. http://www.computerworld.com/articl...it-apple--plant-malware-in-the-app-store.html
This was back in the ios7 days so I'm sure most of these particular vulnerabilities were patched but just proves that this has been possible for a while.
This was back in the ios7 days so I'm sure most of these particular vulnerabilities were patched but just proves that this has been possible for a while.
That should have been done long time ago. It was missed by the upper mgmt who is in charge of China. How can they not know everything from china to the outside world is SLOW. (just try to share some photos via icloud and you will see).
France, and that was like 6 years ago? iPhone 3G or 3GS back then, can't remember.
So that explains stories after stories about Android exploits and fixes while almost none about iOS ones, right?(# of total vulnerabilities, least to most)
Microsoft Windows : < 50
RIM Blackberry: ~ 60
Google Android: 54
Apple IOS: 692
sources: https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224
https://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49
You must be on yourself or doing only independent projects, or you're a C-family programmer.
I'd also had the same habit like you when I was a young programmer, until I found it ultimately stupid to reinvent the wheel from ground zero.
You must be on yourself or doing only independent projects, or you're a C-family programmer.
I'd also had the same habit like you when I was a young programmer, until I found it ultimately stupid to reinvent the wheel from ground zero.
You don't learn if you use somebody else's code. For example, I recently started learning Direct X. There are A LOT of guides out there that use libraries that do everything for you. You don't get to learn about how to create a graphics device, or swap chains, or any of the necessary tasks.
Good for you. Maybe you could start creating alternatives to Boost, OpenSSL, zlib, libcurl, lighthttpd, fastcgi, libpng and libmysqlclient.
Try to get a job after all you do is download a library and use it. I have seen so many libraries that, if I used them, I could never explain HOW to do something in a job interview. I would just say "Download X and use it".
I am not saying you need to do everything yourself, stuff like Crypto you shouldn't do yourself. But it is irritating when asking, "how do I do this?" and people respond "just download this library". No.....I want to LEARN HOW coding this particular thing works.
There are so many developers out there that put code in their program and do not know how it works or what it even does.
I offer a lot of video tutorials, so that has a lot to do with it. I don't have to deal with other people's work in my tutorials (other than MonoGame and Xamarin).
Oh and I do not need all those things you listed for what I do.
I had winzip in my iPhone and iPad, but didnt use it.
I deleted the app as soon as I came to know about the risk.
Am I safe as I didnt open the app or I have to change all passwords entered in the iphone or ipad?
I deleted the app as soon as I came to know about the risk.
Am I safe as I didnt open the app or I have to change all passwords entered in the iphone or ipad?
Apple will notify users who installed apps containing XcodeGhost malware. http://www.technobuffalo.com/2015/0...tter-WP&utm_medium=twitter&utm_source=twitter
Possibly it's like Angry Birds 2 where only certain Asian versions were affected but they pushed a update to fix it across all territories.
Here is an interesting update:
XCodeGhost iOS infection toll rises from 39 to a WHOPPING 4,000 apps
Fire eye: Protecting Our Customers from XcodeGhost
XCodeGhost iOS infection toll rises from 39 to a WHOPPING 4,000 apps
Fire eye: Protecting Our Customers from XcodeGhost
there was an update for xcodeghost to it, but I preferred to delete the app.
my only issue remains is if we didnt open the app, are we safe?
coz I have entered a ton of passwords in the phone and it would be a huge hastle to change all of them
If you go to the App Store and Search on "CamCard":
1. It has NOT been pulled by Apple, nor updated since April.
2. There is a statement from the developer to the effect that they guarantee the current version of CamCard is not infected by XCodeGhost and that the report is wrong.
Not clear whether the report is totally wrong, or whether some ancient version was indeed infected.
I'm not sure why anyone would have to change all their passwords because of something like this.
If you're not doing good password management (i.e.: a good, strong, unique password for each service), then you won't have many to change. If you are doing such password management, then there is kind of a natural 'firewall' between each service anyway. At most, you'd just want to change a few critical ones (i.e.: Apple ID, email accounts... other things like bank codes aren't something you'd likely have been phished into entering into, for example, Angry Birds 2.)
Worst case, if you were using a compromised browser (i.e.: Mercury... which I'm not positive yet was compromised, or to what extent), you *might* have to change a few more critical things like bank accounts, or online services where things can be purchased against your desire. Most stuff we have passwords for wouldn't *that* critical if someone did somehow break into, and if you aren't using the same password anywhere else, it's a pretty easy fix.
I *strongly* recommend people use a good (local) password manager like PasswordWallet (by Selznick) or 1Password, and have a good backup AND archival strategy for the password data file. If you're doing that, you're pretty safe and really only need to worry about a few crucial accounts.
If you're not doing good password management (i.e.: a good, strong, unique password for each service), then you won't have many to change. If you are doing such password management, then there is kind of a natural 'firewall' between each service anyway. At most, you'd just want to change a few critical ones (i.e.: Apple ID, email accounts... other things like bank codes aren't something you'd likely have been phished into entering into, for example, Angry Birds 2.)
Worst case, if you were using a compromised browser (i.e.: Mercury... which I'm not positive yet was compromised, or to what extent), you *might* have to change a few more critical things like bank accounts, or online services where things can be purchased against your desire. Most stuff we have passwords for wouldn't *that* critical if someone did somehow break into, and if you aren't using the same password anywhere else, it's a pretty easy fix.
I *strongly* recommend people use a good (local) password manager like PasswordWallet (by Selznick) or 1Password, and have a good backup AND archival strategy for the password data file. If you're doing that, you're pretty safe and really only need to worry about a few crucial accounts.
Last edited by a moderator:
why did apple not recognize the malware during the review process? Is it a tough task to do every app?
Quite a bit if this thread addresses those types of questions.
Here's another analysis of XcodeGhost:
https://www.appthority.com/enterprise-mobile-threats/2015/09/21/xcodeghost-what-you-need-to-know/
They say they identified 476 affected apps. Their technical analysis is consistent with the alleged XcodeGhost source code that can be found on Github. In particular:
- XcodeGhost is not able to display fake password prompts. It can display an "OK/Cancel"-type dialog box only.
- It does not access the system clipboard. It only uses private pasteboards.
- The information it sent back to the C&C server (when it was still up) is device information. Many legitimate apps send back the same information as part of their analytics collection.
- It can send users to a specified URL, potentially including phishing sites on the Internet. However, that would be pretty obvious as the user would be switched to Safari.
Given all that they classify XcodeGhost as "adware" rather than "malware".
https://www.appthority.com/enterprise-mobile-threats/2015/09/21/xcodeghost-what-you-need-to-know/
They say they identified 476 affected apps. Their technical analysis is consistent with the alleged XcodeGhost source code that can be found on Github. In particular:
- XcodeGhost is not able to display fake password prompts. It can display an "OK/Cancel"-type dialog box only.
- It does not access the system clipboard. It only uses private pasteboards.
- The information it sent back to the C&C server (when it was still up) is device information. Many legitimate apps send back the same information as part of their analytics collection.
- It can send users to a specified URL, potentially including phishing sites on the Internet. However, that would be pretty obvious as the user would be switched to Safari.
Given all that they classify XcodeGhost as "adware" rather than "malware".