What You Need to Know About iOS Malware XcodeGhost

[tzeshan]

I don't think that's a correct analysis of the situation.
What has really happened here? Developers have used the wrong tool (we'll discuss that later) and that tool has embedded some unwanted additional code in their apps. BUT look what still worked
- each broken app STILL has to be submitted to the app store, with identification and an audit trail

- even when the app is on an iOS device, there are severe limits to what it can do. It still can't break out of the OS protections, randomly control the device, etc. The type of info being sent back to base is, let's face it, not THAT serious --- not ideal, but not control of the machine.

- The items that ARE problematic (and which Apple should work on fixing) are items that were problematic before we knew about this, and that have been used in other contexts --- the ability to phish for passwords by throwing up fake dialog boxes, and the way the current sandboxing FORCES Password apps like 1Password to transfer data over the Clipboard.

What this REALLY provides is a way to throw out a bunch of these phishing scams in a way that can't be traced back to the real scammer; only to the developer using the wrong tool.

Which gets us to that issue. I don't know enough about XCode to know what was and was not breached on that front. Obviously the entire XCode package should be signed, and obviously if you're stupid enough to install an XCode package that complains about being unsigned, you're setting yourself up for trouble. But blaming the victim, especially when the security landscape changes every year is not helpful --- how could Apple do better?
You can't really avoid people being able to write their own compilers and dev tools, and you can't stop those dev tools from doing god knows what to the code they create --- this has been known since Pike's infamous C compiler of the early seventies.
What you SHOULD be able to do is not allow code that has been created by such dev tools into the app store. THAT seems to be the flaw that needs to be fixed --- that any tool that's generating binaries that will land up in the store needs to be provably signed. But I don't know how feasible that is. Obviously the last stage (the actual store submitter app) is provided by Apple and signed, and using the developers signature. But what about the linker beforehand? And the compiler before that? And you then need the binaries passed between the two to be encrypted? It's just totally inimical to the current expected model of how we code.

So what about at a higher level? Do something that's a ugly hack, but basically FORCE that any installer that calls itself "XCode" has to be signed no matter what? That's one package that you can't install regardless of your GateKeeper settings except from Apple. But then you get a wack-a-mole of packages called "XCode 7" and "XCode!" and "XCode Pro".

Apple should not allow Baidu to distribute a malicious version of Xcode. Apple should know that Baidu is distributing Xcode. Then some Apple employee should check this Xcode whether it is the original. Problem solved!

 

[springsup]

The root vulnerability which was exploited by these hackers:

Why would some Chinese developers download Xcode from Baidu?
Xcode is a large file that can take a long time to download from Apple's servers in China, leading some developers to download Xcode from unofficial sources.

:facepalm:

I don't understand why Apple doesn't care enough to give us delta updates for Xcode and the Xcode betas.

 

[inkswamp]

Damn, and I was really enjoying 中信银行动卡空间 too.

Anyway, wouldn't these technically be Trojan horses? In that case, it's not really news that a Trojan horse can get into iOS via the App Store. It's been done before. The big difference here is that someone got the idea to trick developers into delivering the payload for them.

 

[borland502]

This isn't too surprising, some of the documents released by Snowden pointed out the CIA (in cahoots with the NSA?) had been attempting to compromise Xcode so that back doors would be inserted into anything compiled with it:

[Snip]

As encryption expert Bruce Schneier points out: "There's a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly -- and they're losing."

You assume the US is more likely than the Chinese? Heck, they've already created proxies that MitM official sites (cert pinning is how Google caught that attempt). Our Alphabet agencies are fully capable of doing this, but if I were placing a bet, I'd say the Chinese were more likely to do it: Economic downturn causing social unrest, etc.

 

[tedson]

Damn,

I used Mercury browser a lot. I liked it but I deleted it just now and will not be reinstalling it. If the developers care so little about security as to use Xcode downloaded from some where other than Apple I can never trust them again.

 

[Alenore]

I agree, that is absolutely ridiculous and shameful for those developers. And all to save a few minutes on the download? Come on. Go eat lunch while it downloads (that's what I do for Xcode updates) or do it overnight if necessary, but no good developer would download their main dev environment from any file sharing site. I'd say they deserve what they get but millions of users are going to pay the price for their laziness.

When I started making iPhone apps, Xcode took 23 hours to download. Eclipse took like 40 minutes.

 

[Chupa Chupa]

No, it doesn't, because once Apple recognizes that kind of a problem, they can also fix it from that one central location.

But apparently apps w/ the trojan did pass through Apple's vetting. Whether or not Apple can pull the apps back is as irrelevant as a peanut butter vendor recalling ecoli tainted product when it's on the shelf. The potential for harm is out there until the recall is made.

In both instances better checks should have been in place prior to being put in distribution. Proactive vs reactive.

Seems to me Apple could better secure an XCode version for devs. & certainly keep up with what versions are available outside its servers.

 

[borland502]

When I started making iPhone apps, Xcode took 23 hours to download. Eclipse took like 40 minutes.

What country and what version of Xcode? I recently switched, though I still develop for Android. So while I grant you Xcode is pretty damn slow to download, my SWAG is about an hour more. However the Android SDK is separate from Eclipse/IntelliJ, and that's taken a good deal of time on release days.

 

[danilko1]

How far back does this go? I had WeChat and Mercury web browser installed in the past, but do use them now.

 

[rictus007]

i'm sorry but how can a developer be such an idiot (please don't ban me, there's no other word to describe patient's condition) to download Xcode from a chinese cloud file sharing service????

I believe other words could be used to describe those developers... But we might be banned

 

[V.K.]

So it seems that the root of the matter is that it's possible to submit apps to the app store which were created using unsigned copies of Xcode. I am not a developer but it seems to me this should not be allowed. are there any good reasons why it IS allowed?

 

[lsatterfield]

Crap. I downloaded Cute Cut a long time ago when i was looking for video editing apps. I'm not sure I've even used it once.
How long have these apps been infected? How long have they been making software with XCode Ghost? Cute Cut isn't even in the app store anymore.

 

[tech3475]

Maybe they should compile a list of 'safe' alternatives, at least some of those apps ive seen recommended e.g. Oplayer.

 

[0007776]

Now if hackers can do this to run malware could jailbreakers potentially make a tool using a similar attack to run the jailbreak and make it easier to jailbreak your phone?

 

[furi0usbee]

And how hard is it to actually read the original article, which addresses this?

Why would some Chinese developers download Xcode from Baidu?
Xcode is a large file that can take a long time to download from Apple's servers in China, leading some developers to download Xcode from unofficial sources.​

Right? So one would willingly download an app from an unofficial source in China? Just hit Apple's website. Done. I don't trust legit Chinese sites...

 

[crjackson2134]

I'm a little concerned too. At some point in the distant past I downloaded CamScanner HD Free. I'm hoping it's not related to CamScanner Pro or CamScanner Lite. I'm sure it hasn't been installed since a couple of years ago, and it's probably an unrelated product, but it does concern me a little.

 

[marmiteturkey]

Yeesh. Much to take in here.
1. Chinese hackers are smart enough to circumvent App store security
2. App developers are dumb enough to use unofficial Xcode downloads to create their apps (when Xcode is free and easily available - just why?)
2a. WeChat, one of the biggest Chinese social networks, is one of them - wtf?! How amateur can you get??
3. Apple are clearly going to make some fast changes to the way they check apps uploaded to the store - wouldn't be surprised if it happens within the week; and you can bet that offending app compilers will be warned and then banned

 

[V.K.]

Right? So one would willingly download an app from an unofficial source in China? Just hit Apple's website. Done. I don't trust legit Chinese sites...

this would not be an issue if one could only submit apps to the app store created using signed copies of Xcode. I am quite baffled why this is not the case now. I assume Apple can enforce such checks on submission.

 

[sullivanliu]

Seriously what developer who knows anything about security is going to download an IDE from a non official source?

That's like downloading an OS from The Pirate Bay and being shocked the file was injected with malicious code.

I am a Chinese iOS Developer working in the States. When I was on vacation back home I realized Apple probably didn't optimize their CDN towards Asia so it took me 2 hours to download new version of XCode with very good internet. This is why people in China would download and rehost XCode images.

But still, it's unforgivable that huge corporation like Tencent even did that...



Another thing is in China people go extra mileage to achieve what they want... Some developers have private distribution channel that doesn't go through app store and works with iPhones that are not jailbroken. How? They BUY DEVELOPER'S UNUSED TESTER COUNT and combined them together so they can distribute their apps without going through AppStore by just using tester account. I'm not sure how this is done since I am not an expert in app distribution but I've definitely heard about this from friends.

Not to mention their are unauthorized developer who do not have developer account and apple id bit would like to use XCode. They also go to these 3rd party host sites.

Scary.

 

[Kissaragi]

I had camscanner+ installed for a few minutes a few months ago but deleted it when it didnt work well. its not listed but two other camscanners are. It only has access to information while its installed right? Which was a very short period of time in my case.

 

[kidaje]

Read and write data in the user's clipboard, which could be used to read the user's password if that password is copied from a password management tool.

can the app read the clipboard even when its not active?

so much for password management tools on iOS...

 

[loekf]

WTF Winzip ? I deleted it immediately from my iPad. Why is it still in the Appstore if Apple is aware of these affected devs and apps ?

 

[kds1]

So... It begins.

iOS has been breached through the one thing that kept us safe. The App Store.

So what begins? Or are you just trying to sound smug (and melodramatic)

 

[sullivanliu]

WeChat has updated their build through emergency update seems like. So WeChat should be fine now.

 

[duffman9000]

What a bunch of stupid developers. I want a list of their names so to never download anything from them again.