Apple Apple's iOS App Store suffers first major attack

One thing another article mentioned: developers had downloaded Xcode from Chinese servers by turning of Apple's security features.


Sent from my iPhone using Tapatalk

 

Turning off security features where? There's no question they downloaded something that is not the real Xcode but Apple doesn't really control what you download when it's not from their servers In other words, Apple cannot prevent you from downloading software not of their making (XcodeGhost) from the servers not under their control, there are no security features for that that I'm aware of.

So Apple's fault (if you could call it that) is not in allowing XcodeGhost to land in developer's hands (out of their jurisdiction and control) but in allowing the XcodeGhost-built apps through to the store, but that's just like with all computer viruses -- hard to detect and can't be expected to happen automatically. When a new virus is introduced somebody always catches it before anybody is able to build a cure.

 

That info about security features is from an Apple spokesperson.

Well, yeah, duh! Apple can't prevent one from jailbreaking and loading apps that may f'uped your iPhone either.

Perhaps, the Apple spokesperson meant that they didn't download Xcode from Apple Servers. I don't remember exactly, but I had to pay a fee to become a developer, and to download Xcode, after signing in with my AppleID was required. Sort of like buying a brand name product from eBay or Amazon, there is always a chance it's a fake- sometimes very common problem.

So not following securing features in getting Xcode from non official sources?



Sent from my iPad using Tapatalk

 

Last time I was downloading Xcode it was just as the other Apple Software — from the App Store. So yes, you sign in with your Apple ID and download. Those developers have clearly not followed these procedures and downloaded what they probably believed was the same app but staged elsewhere. So not following procedures and guidelines — yes, but calling those "security features" is stretching it. Just like in your example, you can't really say that you bypassed Rolex security features in getting yourself a knock-off from eBay.

 

I don't think so, dmapr. They knowingly used copied Xcode versions and not ones from the App Store.

"Mr. Olson said that even in this case, hackers did not crack Apple’s software. Instead they took advantage of the fact that many Chinese developers use copies of Xcode that are held on Chinese servers, since they load faster than the version of the code that’s available from Apple.
The bad Xcode was available only to those developers who had disabled Apple’s safety features. Otherwise Apple would have presented a warning that something was wrong with Xcode, Mr. Olson said.
Many of the websites that were receiving stolen information have been discovered and shut down, according to researchers.
Mr. Olson said versions of Xcode from Apple should be safe."

http://www.nytimes.com/2015/09/21/b...l?smprod=nytcore-ipad&smid=nytcore-ipad-share


Sent from my iPad using Tapatalk

 

I didn't mean that they thought they were downloading from the Apple store, I mean they may not have known the version they were downloading has been tampered with. If you download from the App Store or from the Apple Developer website, the integrity of the download can be checked automatically if the Gatekeeper is enabled. If you download it from somewhere else, it is your responsibility to ensure it hasn't been tampered with as I don't believe it will be checked automatically.

https://developer.apple.com/news/?id=09222015a

 

This just proves that even devices as secure as Apples aren't as secure as we would like to think. If someone really wants to hack something and keeps trying. Eventually they'll find a way as was the case in China.

 

So what happened is the developers had turned off Gatekeeper that checks for valid versions.

That was the security feature that was turned off.

But I do agree with you dmapr, that it was Apple's fault to allow apps in the store with an tampered, free version of Xcode.

I got a feeling there is more to this story to come out. And interesting that it targets China. The story is too simple.

I mean apps are meant to be cleansed by Apple before approval.

Some politics involved somehow?

 

From reading the Apple's KB it doesn't sound like Gatekeeper would help when the modified Xcode is downloaded from other sources, which is what happened and that the verification would have to be performed manually. I don't know enough about Gatekeeper to know for sure, so it's just my interpretation of the article -- you need to have Gatekeeper on plus be downloading from one of those Apple locations to catch tampering automatically.

 

That would be my interpretation as well. So this sounds so easy for hackers. There is something missing in the story

 

Well, they still need to convince somebody to download their software instead of the official one. It's really not that different from phishing

 

I meant that a hacker can mod his own Xcode, dev an app with it and send to the App Store. That's the way this story is running. Just need a group of people to do this with an interesting app.

 

Maybe a mod can delete the duplicates

 

Done! Thy Wish Is My Command.

 

Ha. Heal thy self!

 

Ah yes, that's certainly a possibility.