back to article iOS's infected app-list continues to grow, says Lookout

Security outfit Lookout is watching iThing users' backs, with a rolling list of apps affected by the XCodeGhost bug. Cupertino continues cleaning-up the iOS App Store after its first big malware attack. This comes after hackers slipped their nasty software into a number of apps by modifying the Xcode development tools used by …

  1. J J Carter Silver badge
    Boffin

    How is this possible with a modern OS?

    Surely if iOS app sand-boxing/call it what you will was any good, rogue apps couldn't achieve data theft no matter what library code they used?

    Security that relies on trusting the developer isn't secure. End of.

    1. Bob Vistakin
      Facepalm

      You're trusting it wrong.

      More importantly, wheres the advice for users? How can they tell which apps on their device right now are affected?

    2. Mike Bell

      Re: How is this possible with a modern OS?

      Calm down. All apps are sandboxed. The information available to affected apps is

      Current time

      Current infected app’s name

      The app’s bundle identifier

      Current device’s name and type

      Current system’s language and country

      Current device’s UUID

      Network type

      This is available to any app. It's not expected, however, that the app might choose to send this off to a third party.

    3. Anonymous Coward
      Anonymous Coward

      Re: How is this possible with a modern OS?

      Android has very good Sandboxing. iOS (still) doesn't..

      Don't forget how Facebook were slurping iPhone system addressbooks for years before they got caught.

      https://venturebeat.com/2012/02/14/iphone-address-book/

      It's better than it was in 2012, but the core problem of proper iOS sandboxing hasn't been fixed.

      1. Joerg

        Re: How is this possible with a modern OS?

        Android has no real sandboxing at all. It is just a lame lazy modified Java running on a modified Linux.

        1. asdf Silver badge

          Re: How is this possible with a modern OS?

          But remember Java was built for security and its steward makes databases that are unbreakable. What's that the CVEs tell a different story than the marketing drones? Funny that. Also Android doesn't even enforce the sand boxing as apps have direct access to a lot of native platform functionality as well (for performance reasons). iOS has its issues but even Google has had to eat crow and admit security of their OS was never really a design goal and had to be bolted on later (poorly imo, ie security patching and lousy full disk encryption 2 easy examples).

          1. Alan Denman

            Re: How is this possible with a modern OS?

            Turn the volume up?

            When it all goes tits up, claiming its the same elsewhere is the usual bent.

    4. anonymous boring coward Silver badge

      Re: How is this possible with a modern OS?

      Seems there is a lot of confusion.

      They way to think about this is that someone has:

      1) Modified a tool so the tool can produce output that is not what the developer intended.

      2) The tool's output is compliant with what can normally be done by this tool.

      3) The developer uses his certificate to authenticate his now compromised app.

      When the app is used it can't do anything special that any app couldn't potentially do.

      But it may have structured it's illegitimate instructions so that they are not recognisable by Apples automatic screening process. So vetting doesn't work (for now).

      And, of course, the fact that a legit developer is behind the app makes this more dangerous.

      So it's not a total cracking of Apples iOS security system. It doesn't mean free reign for the app on the iDevice. Any sandboxing restrictions, like for any normal app, still applies -but the implied trust that the app does what the developer says it should do has been broken.

      P.S: The developer downloading the compromised Xcode would have had to explicitly told OS X to install it and run it as insecure software, from an unknown source.

  2. Your alien overlord - fear me

    With that kind of data being stolen, makes me wonder if AVG was written on XCodeGhost (ouch!!)

  3. Anonymous Coward
    Anonymous Coward

    Toxic hellstew

    I think that's the term you were looking for.

    This is real, much more real than stagefright (no real world exploits of that , a month on).

    Just like the icloud hacks, complacency comes crashing down. IOS is no more secure or immune than Android. If anything android has several security mechanisms missing from iOS.

    1. Joerg

      Re: Toxic hellstew

      iOS is secure. Period.

      In this case the criminals behind all this operation had someone inside Apple doing the dirty job to get the illegal authorization keys certified and all the apps built with those passing automatic and manual reviews.

      1. sabroni Silver badge
      2. Known Hero

        Re: Toxic hellstew

        @joerg

        :D that really put a smile on my face. next you'll be telling me car companies don't cheat the system and the car your driving is perfectly fine and safe.

        Naive, overtrusting or troll. not sure. Either way it made me chuckle.

      3. nsld
        Gimp

        Re: Toxic hellstew @Joerg

        Hate to point out the blindingly obvious but if it was secure this wouldn't happen.

        Security is more than just the code, its also the processes and the company, the fact you think insiders are to blame makes no difference.

        As anyone with an ounce of knowledge about security will tell you it doesn't matter how well you code and the quality of your kit the weak link will always be the meat sacks let loose on it.

        1. Joerg

          Re: Toxic hellstew @Joerg

          Maybe you work for Google or Microsoft or you are just little kids thinking to be smart.

          iOS is absolutely secure.

          What happened here is a criminal act with fake authorization keys that someone inside Apple must have authorized.

          No one would use a fake XCode to build any app. No one would download XCode from non Apple servers inside his own developer account.

          This is a fact.

          Anything else is b*ll.

          1. nsld

            Re: Toxic hellstew @Joerg

            So its a security issue then, thanks for confirming that.

            Using your very weak logic guns are perfectly safe, of course that is until you load them, point them at someone and pull the trigger.

            This must be doubly painful for you Boerg, firstly your precious iDevices are now filled with the code of the evil ones, and worse the crime was perpetrated from within the sacred grounds of the church of Jobs.

            The only thing that could make your day worse would be your hipster soya latte being made with the wrong kind of organic beans and served lukewarm.

          2. Anonymous Coward
            Anonymous Coward

            Re: Toxic hellstew @Joerg

            Best all go pray to the iDeity quickly before we're all burning in Androidland forever more

  4. Joerg

    All these developers using illegal XCode must be jailed!

    No Apple developer would have any real reason to download install and use a pirated illegal XCode with fake authorization keys that have been clearly authorized by someone inside Apple paid to do it on purpose. Apple competitors must be behind this criminal act.

    Everyone involved should be sued and jailed. These are criminals and they deserve to be put in jail immediately.

    Every software house big or small and every developer that used the illegal XCode to build any app or game must be part of the scam.

    1. Anonymous Coward
      Anonymous Coward

      Re: All these developers using illegal XCode must be jailed!

      Ah, so you've never done anything stupid and got away with it then? The developers that downloaded xCode from a non-Apple source should indeed no longer be trusted. THAT is a list I'd really like to see, and I presume Apple will probably already know who they are due to the infected apps they have submitted.

      I would not go as far as considering them criminal, but I certainly would not want to have any of these people developing an app because they clearly don't understand the simple principle of a chain of trust. By not using an authorised source for XCode, they have compromised a relatively safe platform. That lack of understanding suggests these people are not suitable for coding apps for the app store, and personally I'd kill off the certs of those developers. If they want to take shortcuts, fine, go and play with the jailbreaking market where security is absent anyway.

      1. Joerg

        Re: All these developers using illegal XCode must be jailed!

        @Anonymous Coward "Ah, so you've never done anything stupid and got away with it then?"

        These developers are criminals. They are guilty. No one would use an illegal XCode to build any app and submit it to Apple.

        Other nonsense babbling means nothing.

        1. Brewster's Angle Grinder Silver badge

          Re: All these developers using illegal XCode must be jailed!

          If you have a licence, you've not done anything illegal by downloading a copy from a mirror.

          1. Anonymous Coward
            Anonymous Coward

            Re: All these developers using illegal XCode must be jailed!

            If you have a licence, you've not done anything illegal by downloading a copy from a mirror.

            Yes, I fully agree with you. However, that doesn't mean you haven't done something stupid if you haven't verified that that mirror was a legitimate one. Illegal, no, stupid, yes.

    2. nsld

      Re: All these developers using illegal XCode must be jailed!

      Quick nurse bring the twatspanner, we have a loose nut

      1. VinceH Silver badge

        Re: All these developers using illegal XCode must be jailed!

        @nsld

        Upvote for twatspanner. Portmanteau word of the day. And highly appropriate use in this case.

        1. nsld

          Re: All these developers using illegal XCode must be jailed!

          @VinceH

          Thank you

    3. anonymous boring coward Silver badge

      Re: All these developers using illegal XCode must be jailed!

      It's only a modfied Xcode (IDE).

      The people using it would also have been victims, using their legit certificates to upload their presumably legitimate apps, with no knowlege of the included backdoors.

      That's why it's a sophisticated attack.

    4. DougS Silver badge

      @Joerg

      You don't even understand what is happening. Someone took Apple's Xcode, all 4GB of it, and modified something in it (probably via an object file attached to every app, such as a modified crt1.o) that causes apps compiled with it to include a bit of malware.

      The reason this is affecting Chinese apps is because the modified Xcode was distributed in China, and yes, despite your denials, some devs were fooled into downloading this instead of getting the real one from Apple. Reportedly because downloading such a large file directly from Apple is very slow, as it is a long way away and has to pass through the Great Firewall.

      These apps can't do anything an app can't already do. iOS apps are sandboxed, so if you don't give the app permission to access your contacts, it can't, if you don't give it access to send texts it can't send premium SMS texts, etc. What it can do though is pop up some request box that makes it look like iCloud needs your password for some reason to fool you into giving up information. i.e. social engineering, which it sounds like is the sort of thing it is doing. Fooling people into giving up information. It can't go digging around in the private data of your banking app and get your account details.

  5. Anonymous Coward
    Anonymous Coward

    BBC reporting

    understandably playing it down, that it's only China affected. Funny that when some Android malware story breaks that only affects Chinese 3rd party "dodgy" stores, that isn't mentioned anywhere in BBC's reporting, happily pretending that it's a Google store problem that affects the western (developed) world.

    This is why I don't trust any of these "news" websites that have news written by non technical writers that either don't understand technical finepoints that make a huge difference to the story, or simply don't care, and just want the clicks..

    Sadly my list of tech websites I trust is growing VERY short now.

    1. Anonymous Coward
      Anonymous Coward

      Re: BBC reporting

      that isn't mentioned anywhere in BBC's reporting

      Far be it from me to suggest that they're a bunch of technical illiterates who are high on the Jobsian fumes. Those unlucky enough to subscribe to Which? will know the pattern.

  6. Anonymous Coward
    Anonymous Coward

    First of many

    Now that this is very widely publicised and every criminal gang with their fingers in smartphone fraud is aware of it, is the first of many such attacks? If, indeed, it is the first, and not just the first to get caught.

    Presumably, there will now be teams all around the globe grabbing a copy of the dodgy Xcode and finding out how to use it to their own ends. I'd be amazed if not, after all, being able to get apps through Apple's defences and onto millions of devices, many of them owned by technically illiterate, but wealthy people, has to be a very juicy target.

    I'm sure there's more than one government-sponsored hacking team on the job as I type.

    So, all you Apple fans, are you happy in the knowledge that the basic coding platform can be hacked, that malware can get onto the App Store and Apple are seemingly unable to spot such malware? Oh. it's all OK, Joerg says so.

    1. Bob Vistakin
      Facepalm

      Re: First of many

      And remember of course the developers themselves are totally unaware they are uploading malware directly to the app store.

    2. anonymous boring coward Silver badge

      Re: First of many

      A countermeasure has already been deployed by Apple, and you can bet there is no chance any criminals grabbing any dodgy copies of Xcode will have any use for it. Besides, they would still have had to known how to modify it for their particular purpose.

      The only real threat are the apps already in the store, and they have been flushed out I understand.

      If you think Apple would be lax about this you are extremely mistaken.

  7. Britt
    Meh

    Convenience

    From what I gather, many of the devs operate in area with utterly rubbish connection, some reporting 60k/s from Apple servers. With a speed like that from official servers and a 3GB+ file to download that could drop out at any time, I'm beginning to see the temptation in downloading from a more localised mirror.

    Reasoning, it's a scary thing. Maybe Apple should consider an official mirror that's easier to access.

    It's almost like the music piracy argument all over again.

    1. nsld
      Gimp

      Re: Convenience

      This is deliberate as it allows the fanboi to stare lovingly at the shiny iDevices whilst pulling themselves furiously around the room waiting for the download

      Just ask Joerg, he got so excited earlier he nearly tore his cock off!

  8. anonymous boring coward Silver badge

    For general information: This email was sent out by Apple to the developers:

    "We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers. You should always download Xcode directly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all your systems to protect against tampered software.

    When you download Xcode from the Mac App Store, OS X automatically checks the code signature for Xcode and validates that it is code signed by Apple. When you download Xcode from the Apple Developer website, the code signature is also automatically checked and validated by default as long as you have not disabled Gatekeeper.

    Whether you downloaded Xcode from Apple or received Xcode from another source, such as a USB or Thunderbolt disk, or over a local network, you can easily verify the integrity of your copy of Xcode. Learn more."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019