/adjustmytinfoilhat...
Maybe it's been a known hack for a long time? Any agency could have been exploiting this for fun and profit for a long time.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
What You Need to Know About iOS Malware XcodeGhost
- Thread starter MacRumors
- Start date
- Sort by reaction score
/adjustmytinfoilhat...
Maybe it's been a known hack for a long time? Any agency could have been exploiting this for fun and profit for a long time.
I used , and paid, Mercury Browser for over an year in the past...
I'm furious about that....
Last edited by a moderator:
No. As I read from Chinese site this guy has confessed it and said it's only a "failed experiment" since the government is onto him and such thing can get you many years in jail. But people are still suspecting he did it on purpose given how much effort he spent:
- Massive SEO effort. Link spreading.
- Hacked into the account of the admin of a major site that hosts XCode files and swap the contaminated files in
- Newly registered website (registered 7 months ago) dedicated to received stolen data
- Projected AWS cost of $500k a month setting up infrastructure / hosting traffic for the hack
This is his Sina Weibo account: http://weibo.com/u/5704632164?sudaref=www.google.com&nick=XcodeGhost-Author
He also opened the source of the hack.
Translation: http://www.pixelstech.net/article/index.php?id=1442625768
But I think there is no doubt that he did it on purpose.
I'm suprised nobody here put 2 and 2 together yet. This isn't a typical case of malware insertion. This is government sponsored. The up side is that people don't need to worry about their info being compromised, but the downside is that it shows that the Chinese government is actively trying to subvert their users (as if we didn't already know that though).
What do you do if you run into someone responsible for this or other malware?
Kick them in the crotch.
Kick them in the crotch.
Still no excuse. None whatsoever. Agree with poster who said any developer who would make such a boneheaded move no longer deserves my trust, and will never get it.
Doesn't matter. I read the article and I still think it's idiotic for a developer to do it. There is no valid excuse. Period. Frankly, I believe Apple should ban them and remove them from the App Store permanently.
This is how it begins. My parents lived through the secret courts time period in Germany. We keep you safe, the terrorists will get you, give up your freedom and rights, trust us. Adams, Jefferson, Franklin must be turning in their graves. Had a suspicion it would happen in US, just didn't think in my lifetime. Sadly depressing to see the experiment of government by and for the people repeating the same historical mistakes.
According to the original article by Palo Alto Networks, the first compromised Xcode versions were uploaded 6 months ago. So any version of the affected apps released after that are likely to be affected.
I agree. It's just dumb. Especially for multi billion dollar company like Tencent.
But I'm sure they won't do it again though. So if I were you I'd trust them. In a classic Chinese corporation I would expect dozens of people losing their jobs and more get penalized.
Apps can read and monitor the clipboard when they are running in the background. Most apps are allowed to run in the background for a few minutes after you exit them via the home button. Some apps also request background execution privileges (e.g. music players or apps that periodically refresh content from the network).
It's a good idea to disable background app refresh in the settings for all applications that don't really need it. You can also kill lingering background tasks by killing the app in the task switcher before copying sensitive information via the clipboard.
Last edited by a moderator:
The problem, people should maybe take note, is that nowadays a lot of work on OS X and iOS (well, make that anything that involves coding) is outsourced to whoever get's the contract on freelancer.com, odesk.com or any other contracting-site.
The contractor could be in India, Pakistan, Bangladesh, Russia - or China.
Just because the App doesn't say "Made in China", it may be still be.
If you're in Europe, you may remember the horse-meat scandal we had a while ago. In the aftermath, people started to backtrack the origins of various ingredients in meat-products and the supply-chain turned out to be very long and complex.
I expect a similar thing to happen here: Chinese developers are probably touching a lot more code in the App Store than is obvious from the first look.
As it involves China and malware, I expect a few of the usual-suspect Senators to call Tim Cook directly.
;-)
So, if he hasn't already read it here, it will be on his radar now. For a while at least.
The problem is probably: how long does it take for Apple to implement mitigation techniques?
The contractor could be in India, Pakistan, Bangladesh, Russia - or China.
Just because the App doesn't say "Made in China", it may be still be.
If you're in Europe, you may remember the horse-meat scandal we had a while ago. In the aftermath, people started to backtrack the origins of various ingredients in meat-products and the supply-chain turned out to be very long and complex.
I expect a similar thing to happen here: Chinese developers are probably touching a lot more code in the App Store than is obvious from the first look.
As it involves China and malware, I expect a few of the usual-suspect Senators to call Tim Cook directly.
;-)
So, if he hasn't already read it here, it will be on his radar now. For a while at least.
The problem is probably: how long does it take for Apple to implement mitigation techniques?
But..but....but malware is only for Android. iOS is 100% safe. This must be a lie!
They do. It's called Gatekeeper. But I guess if you're the kind of person to download Xcode from some file sharing site, you're the kind of person to disable Gatekeeper.
You sir are absolutely right, here is the one line of code for any iOS app to read your clipboard when running:
[[UIPasteboard generalPasteboard] string]
So guys don't worry about the password you have copied being stolen since if you have such bad habit of copying and pasting password it could have been compromised in so many ways already... Also where are you copying it from? Email? Text? Website? Those are way more vulnerable.
I agree 100%. THAT sort if thing is the real takeaway from this breach, not the fact of a trojan XCode.
Likewise there should be something like a Share Sheet that allows Password-holder apps (like 1Password) to transfer information into an app without having to go through the pasteboard.
Have you send this feedback to Apple? I think it's well worth it.
I'd suggest others on this list send this feedback to:
http://www.apple.com/feedback/
(I don't know what the best selection from there is, I'll use iPhone)
Apple takes each feedback submission as vote for the submission-- so even if you know someone has already notified Apple of a problem, it's worth doing it yourself to emphasize the importance.
I agree. But this is not how things work with developers of flagship apps. If a small-time developer introduces malware to the app store he or she will be banned forever. If Facebook does it there will be a lot of contact between senior executives and a lot of hush-hush. This is exactly what WeChat is in China. WeChat is so big there, and popular among people with contacts in China, because alternatives are banned. In order to operate in China you need to surrender user data to the party-state. Now can you imagine Apple pulling the plug on Wechat? It's an app virtually every smartphone user in China has installed. That's why I thing this whole business is all very suspicious. Small developers can be foolish enough to download Xcode from some unofficial source, but Tencent? One of, if not the largest tech companies in China? Those guys are not amateurs and they know what they are doing.
