What hope do we have for the general public to understand computer security, if 'professional' devs are downloading materials for their jobs from unknown and untrusted sources!
iCloud phishing attack hooks 39 iOS apps and WeChat
Millions of Apple users are at risk from malicious yet legitimate apps uploaded to the official App Store, which are being used in "unprecedented", live iCloud phishing attacks. The 39 identified apps, including WeChat one of the most popular instant messaging clients in the world, were compiled using a malicious version of …
COMMENTS
-
-
-
Monday 21st September 2015 09:04 GMT Dan 55
Re: Code Signing
Putting aside the stupidity of a developer downloading XCode from somewhere else which should get them immediately cast out from the Guild of Keyboard Bashers never to return, you'd have to click on the padlock in the corner of the installer window and check the certificate to find out it's been signed by a developer other than Apple.
Perhaps something which is worth taking out of the hands of Jony Ive. First page, big huge font, "This installation file was signed by: 4pp13, 1nc. who has been a registered developer with Apple for 8 hours. Are you really sure you want to pwn your computer?"
-
Monday 21st September 2015 10:30 GMT Mike Bell
Re: Code Signing
OK, the developers were stupid and reckless to use an unauthorised compiler.
But... the code it produced still managed to get past App Store security checks. That's a big deal, and Apple will no doubt be smelling the coffee today. What goes into the App Store should be demonstrably kosher, and the use of a fake compiler should be detectable during app submission.
-
-
Monday 21st September 2015 10:28 GMT Bob Vistakin
Even worse - smug western fanbois wave their ponytails in contentment saying "it's ok, it's only China." But think about this: there was no warning. These apps passed the same stringent human-inspected tests the western app stores do. How to we know this hasn't happened already "over here" and we're just waiting for the big one?
A walled garden that lets malware in? That's Thinking Different. all right.
-
This post has been deleted by its author
-
-
-
This post has been deleted by its author
-
Monday 21st September 2015 09:18 GMT TeeCee
Social engineering?
They fell for: "Looky!! Is fazter downloady heres in moody cyberlockers[1] for dis ting wot u needs."?
And these are supposed to be developers who know their stuff?
God help us. We really are truly fucked.
[1] Rule 1. If there's a direct download link in a forum post which goes to anywhere with a cavalier attitude to what's shared and it's an executable, caveat emptor (as in test in a VM while wearing rubber gauntlets before letting it anywhere near anything you give a shit about). Then again, if you actually get to the download before your machine's pwned via the browser, you can count that as a win.
-
Monday 21st September 2015 10:43 GMT Sooty
Re: Social engineering?
>>And these are supposed to be developers who know their stuff?
Unfortunately, I work as support for developers who supposedly know their stuff, when they get stumped by errors such as system is down, make sure it's running before trying this. I have to explain in detail how to start the system they develop the code for.
I often have to explain in detail basic stuff that anyone employed in the field for more than a day should know inside and out.
I believe many of them are straight out of university and get a 1 day language primer course before being supplied by the agencies as experienced senior developers. Nothing that the code they generate did strangely would surprise me.
-
-
Monday 21st September 2015 09:50 GMT Frank Bitterlich
I need the list of affected apps...
... just to compile a personal blacklist of app developers whose apps I'll never use or download again.
Because if their devs are so utterly clueless, their apps are dangerous even without this compromise.
@TeeZee: God help us. We really are truly f...ed. Indeed.
-
Monday 21st September 2015 10:31 GMT tekatronic
iOS 9 update??
If a user already has WeChat on their iPhone, and updates to iOS 9, which in turn means upgrading the WeChat app, does this mean they will be infected?
It's not clear what the timeline was for the outbreak. Are users who have had WeChat on their phone for 2 years or more safe? Did the "infected" version of WeChat only affect users who recently added the app to their phone?
Did the virus spread through regular updates? Or only from the app store on new downloads??
-
Monday 21st September 2015 19:34 GMT Anonymous Coward
Re: iOS 9 update??
The timeline was like this:
Original version of Wechat developed and uploaded to app store, using Apple's tools
Subsequent versions of Wechat developed and uploaded to app store, using Apple's tools
Wechat developer follows some random link in a forum for the 4GB Xcode download, instead of downloading from Apple like he should, because the latter is too slow
Wechat developer compiles version(s) of Wechat using the dodgy Xcode, and uploads them to app store
So you're fine if you downloaded it two years ago but haven't been updating it. If you update it every time a new version is on the app store, you may have a bad version, since there was a bad version of it on the app store for a while. If the version you have is newer than the one on the app store, you should delete it. If you the version you have is older than the one on the app store, update.
Simply having it on your phone isn't a problem though, the bad code only affects it while you're running it, and due to the app sandboxing it isn't like it is able to get into your banking app and steal your money.
-
-
-
This post has been deleted by its author
-
-
Monday 21st September 2015 19:39 GMT Anonymous Coward
What should Apple do to fix this?
There are a few things I can think of:
1) Have some sort of caching server containing the dev tools inside the Great Firewall so downloads are quicker, since that seems to have contributed to the desire to download them from websites instead of directly from Apple.
2) Have the install process check the integrity of the installation files over the internet with Apple (i.e. make HTTP connection to *.apple.com to grab the signatures of all the binaries) If there's no internet access available at install time, it will try to do that check later - and will NOT allow using a developer key to sign the compiled binaries (required for app store submission) until this has been verified.
Anyone think of anything else?
-
-
Tuesday 22nd September 2015 20:32 GMT Anonymous Coward
Re: What should Apple do to fix this?
I think some devs would be a bit put out by such a requirement, and their lawyers would hate it as it would open them up to potential copyright lawsuits if Apple added functionality to iOS that bears any resemblance to what a submitted app does. Can you imagine Microsoft submitting source code for Office to Apple?
Apple is requiring apps for the Watch be submitted as LLVM bitcode, which is semi-compiled format that might (or might not, I really don't know) avoid this sort of attack since Apple would do the final compilation to machine code. It would also allow them to re-optimize the code to improve app performance or fix issues by compiler bugs. Maybe they'll start requiring that for iOS apps eventually, but requiring source code, no way they ever will.
-
-