0007776
Suspended
Yeah I remember that, and that is why I was wondering if someone could use a similar attack to create an easy jailbreak like that again using an app.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
What You Need to Know About iOS Malware XcodeGhost
- Thread starter MacRumors
- Start date
- Sort by reaction score
haruhiko
macrumors 604
Whatsapp is not banned in China. So they're turning users' data to the Chinese government?
Holding developers responsible doesn't matter for users because damage could have already been done.
Apple should take care of the users.
Can a one-time key be securely transferred on-the-fly instead of having a permanent key stored in Xocde?
If iTunes, which runs locally, can block users from downgrading firmware, can the same thing or similar thing be done to Xcode?
Appreciated it if you can enlighten me.
macfacts
macrumors 603
Let's say instead of these clueless developers who used illegitimate versions of Xcode, say a group of malicious hackers created malware and submitted it to the app store and it got approved. Is Apple still perfect in your eyes here?
Regardless of what their marketing says, they are not magic (but pretty close 😉).
That key could be intercepted once it leaves Apple's control.
Besides, even if Apple could enforce the use of an unmodified Xcode, they cannot prevent a developer from sneaking in malicious code with 100% security. It's just not realistically possible to inspect code to that depth, especially given the amount of app submissions they have to process.
It's not really iTunes that prevents you from using unsigned firmware, but the boot code in the iOS device.
haruhiko
macrumors 604
I agree with what you said but... ever heard about Edward Snowden?
Last edited:
Robert.Walter
macrumors 68040
After scanning 9 pages of comments for one relating to watchOS 2 and not finding any...
I wonder if this malware revelation is related to the"bug" that put the release wOS2 on hold. (There are something like 10,000 new watch apps, many not released due to needing wos2 to run ... That's a whole lotta apps to check!)
I wonder if this malware revelation is related to the"bug" that put the release wOS2 on hold. (There are something like 10,000 new watch apps, many not released due to needing wos2 to run ... That's a whole lotta apps to check!)
Robert.Walter
macrumors 68040
I'm wondering why Apple doesn't somehow sign Xcode and require apps to reflect both the version and the code of the Xcode sw used to code them as part of the app approval process.
haruhiko
macrumors 604
$50 this is what's holding my app up in App Review... looks like they're locking down even more than before. They need to add "Your app must be built with our version of Xcode" in the App Review Guidelines.
😀
😀
Simple. About a decade ago, somebody got the bright idea that Apple should eat its own dogfood, packaging Xcode as a self-contained app, just like they require Mac App Store developers to do (minus the sandbox). Unfortunately, that installer-free, self-contained app model is fundamentally incompatible with the notion of delta updates. When you're talking about downloading an app that is almost four gigabytes in size, if the official servers are slow, it is pretty much inevitable that folks will try to find a source that can provide it faster.
The real WTF is that Apple isn't taking full advantage of Akamai or other similar companies to ensure that Xcode downloads (whether betas from developer.apple.com or releases from the Mac App Store) are fast from anywhere in the world. This isn't a company run out of somebody's garage anymore; if Baidu's servers really are that much faster than Apple's when accessed from China, then it is well past time for the developer download servers to catch up with the times.
If I remember correctly, Apple used WeChat in a demo for the Apple Watch. This is not going to end well.
ShadovvMoon
macrumors 6502
Apple doesn't go through submitted assembly line by line, nor is it realistically feasible to do so. The blame lies solely with the developers who imo should have their certificates revoked and be kicked out of the developer program. When you download an app, you are putting your trust in the developer. The walled garden makes it a little tricker for malware because of certificates, but not impossible.
lordofthereef
macrumors G5
I suppose it was only a matter of time. I imagine there will be a swift patch and cleanup deployment.
The fact that this even happened does add credence to the legitimacy of third party stores though. If I want to take a risk of installing external sources, I should be able to, especially since we now have verifiable evidence that Apple's in reachable safety net has been breached.
The fact that this even happened does add credence to the legitimacy of third party stores though. If I want to take a risk of installing external sources, I should be able to, especially since we now have verifiable evidence that Apple's in reachable safety net has been breached.
It isn't really possible. I mean yes, Apple can sign the app, but short of preventing unsigned apps from being runnable, there's no practical way that Apple could detect whether the app used to sign another app was itself signed. Any mechanism you could come up with (e.g. taking checksums of the app doing the signing) could be trivially subverted by replacing the routine with one that returns the result that the original signed app would have returned.
Besides, app developers don't have to build their apps using Xcode. They can use Makefiles and command-line tools, and lots of developers do. So the signing tool (codesign) has to be able/willing to sign whatever code is handed to it. A malicious version of Xcode could silently insert additional libraries, perform silent code insertion, and hide the evidence from the user during the compilation process, then ask codesign to sign it. There's no way that the codesign tool can tell whether those bits were added by a malicious version of Xcode or by the developer.
In short, as long as it is possible to run apps that have not been vetted by Apple, there's no way to prevent this. And you'd never be able to get development done usefully if every build of every app had to be approved by Apple, so there's just no practical way to mitigate this sort of attack, other than by ensuring that Apple's servers are the fastest servers out there, so people will download it from official sources instead of from potentially malicious third parties.
You're forgetting about China's Great Cannon which is able to do man in the middle attacks replacing content. Here's an example of the Great Cannon replacing javascript on websites with malicious javascript:
http://www.pcworld.com/article/2908...n-ddos-tool-enforces-internet-censorship.html
Who's to say the developers didn't download Xcode directly from Apple, only to have the Great Cannon silently replace the download with the XcodeGhost binary? Seriously, does anyone not think the Chinese government is behind this?
One of the apps, iVMS-4500 seems to be gone from the App Store now, while the iPad version is still available.
Maybe we should just start leaving China alone and out of the picture. For all the crap coming our way from China it might be better to cut off the flow. Apple and Microsoft are totally in bed with the Chinese government so that probably is never going to happen.
iVMS-4520 is also still up but I'd stay away from it too. I've had a lot of issues with both apps eating through battery and a LOT of Exc_Resource/wakeups in my Diagnostics and Usage.
Same with the iPad version.
Several people have asked this question. What if the App was simply a ruse to test this method of introducing malware?
Last edited:
ActionableMango
macrumors G3
Yep. IIRC, it's never been used, so it will be interesting to see if it will be used now.
There are over a billion people in China. I don't find your post far-fetched. It is entirely possible that the devs knew their Xcode was modified and intended to use any data gained for their own personal gain.
And to everyone who wants to ban the devs who made these bad apps. What is to stop them from just opening up another dev account and sending more bad apps to the app store? Are we going to send a crack Apple security team to investigate every developer? Especially when the Chinese government is most likely involved. Apple can't create any bad blood there - they use cheap Chinese labor to build almost all of their devices. But you can probably bet that China is intentionally slowing downloads from outside the country to encourage downloading from inside the country. And that the software was probably loaded on flash drives or shared on local networks once downloaded, thus enabling it to spread even further.
People have been running scams forever. Just when you think you've gotten something nailed down, the scammers find a new way to scam. It's even easier now that it's all computerized.
I think Apple will find a way to prevent this from happening again going forward, but then someone else will find a bug or an exploit or something else that is malicious. I'm sure Apple has all hands on deck working through these apps and pulling every one that is bad. And the PR machine is spinning trying to mitigate any damage caused to Apple's brand and place the blame on the person who modified Xcode. I don't know if they can/will blame any devs, especially since large ones like tencent were involved in this.
I've also developed a new appreciation for sandboxing.
You have no idea how common it is for Chinese to download almost anything from third party source. They really don't care where it's from as long as they get the stuff, and given that piracy is extremely common and unregulated in China. A lot of developers in China pirate apps because they couldn't afford it or they're not available in China. Even if they are available, online payment isn't all that convenient. And as mentioned on the article, file sharing platforms such as Baidu offer much greater speed. It is sometimes even impossible to download files from official source due to firewall restrictions. Developers usually just go on forums and find downloads.