" they must affirmatively bypass Gatekeeper"
So the walled garden has a gate that anyone can open as long as they're responsible and close it behind them?
Security researchers have discovered “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store. The affected versions of this library embedded backdoors in iOS apps that used the library to display ads, opening the door for hackers to access sensitive user data and …
You say that as if it's a bad thing. The alternative would be to not allow people to do that at all, which would be infinitely worse because you could then kiss goodbye countless open source applications, etc etc.
My only complaint about the way Apple handled the xcodeghost thing, is that Apple didn't outright bar the companies from ever submitting applications to the app store again. The level of utter stupidity that these developers displayed is just mindboggling.
You can set OS X to only open applications downloaded from the Apple Store, or from the Apple Store and/or developers with a valid Developer's ID, or from anywhere at all.
So, yeah... Kinda makes the knee-jerk snarky "control-freak", "locked-down", "walled garden" comments seem rather puerile when anyone can permanently disable Gatekeeper at any time. (OS X DOES, however -- quelle horreur! -- require that you input your password before changing that security setting. I guess that must be that heavy-handed control-freakery at work...)
I could be wrong but, since the article says "Mobile security researchers at FireEye have identified 2,846 iOS apps containing backdoored versions of mobiSage SDK," I assumed that, as with XCodeGhost, the source of the dodgy SDK was from a lax developer downloading the SDK onto his/her Mac from an insecure/unsigned source.
The linked FireEye notice says, as well; "It is unclear whether the potentially backdoored versions of the ad library were released by adSage or if they were created and/or compromised by a malicious third party." So, while it's currently unclear, it seemed to me that a dev's disabling of Gatekeeper was, at least, a not unlikely source of infection.
If iOS scrapped free apps (funded by ads) completely.
I mean, let's face it, iOS apps are bloody cheap. If an app is worth having, it's worth paying a couple of quid for. As opposed to the current situation where there are gazillions of copycat useless bell-ringing and torch apps. Actually, they might have banned torch apps now since one comes pre-installed, but you get the idea.
I'm strongly of the opinion that there are far too many shit apps on the App Store, and offering them for free (with the attendant ads) only makes that situation worse.
Or Apple could require them to use their own ad network. I remember a few years back when Apple introduced iAd there was a lot of wailing and gnashing of teeth by the Apple haters, suggesting that Apple would soon force everyone to use their own ad network. They never did, but if this keeps happening some might suggest that.
Unfortunately this sort of problem wouldn't necessarily be limited to an ad network library. Any non-Apple library that developers are likely to add to their iOS apps would be a target for miscreants introducing a backdoored version. If Apple forced use of iAd, there are surely some other popular libraries that get included in apps that would be targeted instead. Ad network libraries are the low hanging fruit for obvious reasons, but if they were no longer an option they'd choose the next lowest hanging fruit.
Since iOS apps are sandboxed, and few apps will even be in a position to grab contacts lists etc. it seems the only thing they can do is try to trick the user into entering their iCloud or AppleID password. Not sure how easy it would be to catch that sort of thing, since the code could be obfuscated so you wouldn't have "iCloud" as a string present in the submitted binary.
If iOS scrapped free apps (funded by ads) completely.
I think it would be a good start if ad supported apps were clearly flagged as such, and were not allowed to introduce apps in an upgrade but had to put a separate version in the app store (to avoid sneaking this in later).
I have no problem with people seeking to generate ad revenue, but it seriously pisses me off if I find that out AFTER installation. What also annoys me is apps I DID pay for but that suddenly acquire ads anyway (I'm looking at you, shazam). It's my bandwidth you're stealing.
Allow people to make a choice instead of conning them with "free, but not quite free" apps. Free <> ad supported <> paid.
Is this article describing two unrelated problems ?
The first part states there is at least one compromised ad-support library that is used in a number of apps available on the official Apple Store. It doesn't say where developers get this kind of library - i.e. from "official" sites or from potentially compromised sites. The second part of the article then refers to one known source of compromised development software, but how is this related to the bad library ?
They used the bad library. This was the mobiSage SDK, available from adSage. AdSage may/may not be responsible for the trojans, as the latest version of mobiSage doesn't seem (please note the magic word) to have the trojan.
In addition, they turned Gatekeeper off. They pretty much had to turn Gatekeeper off in order to use a SDK from someone other than Apple. If Gatekeeper had been on, it would have detected and blocked at least some versions of the bad library.
There's a whole lot of detail on the FireEye site, linked to from El Reg's article.
Asking the thousands of Hackintosh users to donate money they likely do not have won't happen!
On the actual subject,it is individual real malware lurking for years that is more dangerous.
How many are there, and how many had 'silent' deletes done without us being told?
Biting the hand that feeds IT © 1998–2019