Welcome to Our WirelessAdvisor Community!

You are viewing our forums as a GUEST. Please join us so you can post and view all the pictures.
Registration is easy, fast and FREE!

Apple Apple's iOS App Store suffers first major attack

Discussion in 'APPLE iPhone, iPad Tablets and all iOS Devices' started by palandri, Sep 20, 2015.

  1. palandri

    palandri Former Palm Guy
    Junior Member Senior Member

    Joined:
    Nov 17, 2009
    Messages:
    1,201
    Likes Received:
    867
    Location:
    Chicago
    My Phone:
    Pixel 4
    Wireless Provider(s):
    Project Fi
  2. viewfly

    viewfly Mobile RF Advisor
    Senior Member

    Joined:
    Jun 22, 2003
    Messages:
    6,002
    Likes Received:
    851
    My Phone:
    iPhone XS Space Grey
    Wireless Provider(s):
    AT&T; Tmobile SIM only
    One thing another article mentioned: developers had downloaded Xcode from Chinese servers by turning of Apple's security features.


    Sent from my iPhone using Tapatalk
     
  3. dmapr

    dmapr Silver Senior Member
    Senior Member

    Joined:
    Dec 4, 2006
    Messages:
    4,453
    Likes Received:
    1,160
    Location:
    Bay Area, CA
    My Phone:
    Pixel XL
    Wireless Provider(s):
    Verizon Wireless; MTS
    Turning off security features where? There's no question they downloaded something that is not the real Xcode but Apple doesn't really control what you download when it's not from their servers :) In other words, Apple cannot prevent you from downloading software not of their making (XcodeGhost) from the servers not under their control, there are no security features for that that I'm aware of.

    So Apple's fault (if you could call it that) is not in allowing XcodeGhost to land in developer's hands (out of their jurisdiction and control) but in allowing the XcodeGhost-built apps through to the store, but that's just like with all computer viruses -- hard to detect and can't be expected to happen automatically. When a new virus is introduced somebody always catches it before anybody is able to build a cure.
     
  4. viewfly

    viewfly Mobile RF Advisor
    Senior Member

    Joined:
    Jun 22, 2003
    Messages:
    6,002
    Likes Received:
    851
    My Phone:
    iPhone XS Space Grey
    Wireless Provider(s):
    AT&T; Tmobile SIM only
    That info about security features is from an Apple spokesperson.

    Well, yeah, duh! Apple can't prevent one from jailbreaking and loading apps that may f'uped your iPhone either.

    Perhaps, the Apple spokesperson meant that they didn't download Xcode from Apple Servers. I don't remember exactly, but I had to pay a fee to become a developer, and to download Xcode, after signing in with my AppleID was required. Sort of like buying a brand name product from eBay or Amazon, there is always a chance it's a fake- sometimes very common problem.

    So not following securing features in getting Xcode from non official sources?



    Sent from my iPad using Tapatalk
     
    #4 viewfly, Sep 22, 2015
    Last edited: Sep 22, 2015
  5. dmapr

    dmapr Silver Senior Member
    Senior Member

    Joined:
    Dec 4, 2006
    Messages:
    4,453
    Likes Received:
    1,160
    Location:
    Bay Area, CA
    My Phone:
    Pixel XL
    Wireless Provider(s):
    Verizon Wireless; MTS
    Last time I was downloading Xcode it was just as the other Apple Software — from the App Store. So yes, you sign in with your Apple ID and download. Those developers have clearly not followed these procedures and downloaded what they probably believed was the same app but staged elsewhere. So not following procedures and guidelines — yes, but calling those "security features" is stretching it. Just like in your example, you can't really say that you bypassed Rolex security features in getting yourself a knock-off from eBay.
     
  6. viewfly

    viewfly Mobile RF Advisor
    Senior Member

    Joined:
    Jun 22, 2003
    Messages:
    6,002
    Likes Received:
    851
    My Phone:
    iPhone XS Space Grey
    Wireless Provider(s):
    AT&T; Tmobile SIM only
    I don't think so, dmapr. They knowingly used copied Xcode versions and not ones from the App Store.

    "Mr. Olson said that even in this case, hackers did not crack Apple’s software. Instead they took advantage of the fact that many Chinese developers use copies of Xcode that are held on Chinese servers, since they load faster than the version of the code that’s available from Apple.
    The bad Xcode was available only to those developers who had disabled Apple’s safety features. Otherwise Apple would have presented a warning that something was wrong with Xcode, Mr. Olson said.
    Many of the websites that were receiving stolen information have been discovered and shut down, according to researchers.
    Mr. Olson said versions of Xcode from Apple should be safe."

    http://www.nytimes.com/2015/09/21/b...l?smprod=nytcore-ipad&smid=nytcore-ipad-share


    Sent from my iPad using Tapatalk
     
  7. dmapr

    dmapr Silver Senior Member
    Senior Member

    Joined:
    Dec 4, 2006
    Messages:
    4,453
    Likes Received:
    1,160
    Location:
    Bay Area, CA
    My Phone:
    Pixel XL
    Wireless Provider(s):
    Verizon Wireless; MTS
    I didn't mean that they thought they were downloading from the Apple store, I mean they may not have known the version they were downloading has been tampered with. If you download from the App Store or from the Apple Developer website, the integrity of the download can be checked automatically if the Gatekeeper is enabled. If you download it from somewhere else, it is your responsibility to ensure it hasn't been tampered with as I don't believe it will be checked automatically.

    https://developer.apple.com/news/?id=09222015a
     
  8. palandri

    palandri Former Palm Guy
    Junior Member Senior Member

    Joined:
    Nov 17, 2009
    Messages:
    1,201
    Likes Received:
    867
    Location:
    Chicago
    My Phone:
    Pixel 4
    Wireless Provider(s):
    Project Fi
  9. Eileen89

    Eileen89 Bronze Senior Member
    Senior Member

    Joined:
    Feb 15, 2010
    Messages:
    849
    Likes Received:
    326
    This just proves that even devices as secure as Apples aren't as secure as we would like to think. If someone really wants to hack something and keeps trying. Eventually they'll find a way as was the case in China.
     
  10. viewfly

    viewfly Mobile RF Advisor
    Senior Member

    Joined:
    Jun 22, 2003
    Messages:
    6,002
    Likes Received:
    851
    My Phone:
    iPhone XS Space Grey
    Wireless Provider(s):
    AT&T; Tmobile SIM only
    So what happened is the developers had turned off Gatekeeper that checks for valid versions.

    That was the security feature that was turned off.

    But I do agree with you dmapr, that it was Apple's fault to allow apps in the store with an tampered, free version of Xcode.

    I got a feeling there is more to this story to come out. And interesting that it targets China. The story is too simple.

    I mean apps are meant to be cleansed by Apple before approval.

    Some politics involved somehow?
     
  11. dmapr

    dmapr Silver Senior Member
    Senior Member

    Joined:
    Dec 4, 2006
    Messages:
    4,453
    Likes Received:
    1,160
    Location:
    Bay Area, CA
    My Phone:
    Pixel XL
    Wireless Provider(s):
    Verizon Wireless; MTS
    From reading the Apple's KB it doesn't sound like Gatekeeper would help when the modified Xcode is downloaded from other sources, which is what happened and that the verification would have to be performed manually. I don't know enough about Gatekeeper to know for sure, so it's just my interpretation of the article -- you need to have Gatekeeper on plus be downloading from one of those Apple locations to catch tampering automatically.
     
  12. viewfly

    viewfly Mobile RF Advisor
    Senior Member

    Joined:
    Jun 22, 2003
    Messages:
    6,002
    Likes Received:
    851
    My Phone:
    iPhone XS Space Grey
    Wireless Provider(s):
    AT&T; Tmobile SIM only
    That would be my interpretation as well. So this sounds so easy for hackers. There is something missing in the story
     
  13. dmapr

    dmapr Silver Senior Member
    Senior Member

    Joined:
    Dec 4, 2006
    Messages:
    4,453
    Likes Received:
    1,160
    Location:
    Bay Area, CA
    My Phone:
    Pixel XL
    Wireless Provider(s):
    Verizon Wireless; MTS
    Well, they still need to convince somebody to download their software instead of the official one. It's really not that different from phishing :)
     
  14. viewfly

    viewfly Mobile RF Advisor
    Senior Member

    Joined:
    Jun 22, 2003
    Messages:
    6,002
    Likes Received:
    851
    My Phone:
    iPhone XS Space Grey
    Wireless Provider(s):
    AT&T; Tmobile SIM only
    I meant that a hacker can mod his own Xcode, dev an app with it and send to the App Store. That's the way this story is running. Just need a group of people to do this with an interesting app.
     
  15. viewfly

    viewfly Mobile RF Advisor
    Senior Member

    Joined:
    Jun 22, 2003
    Messages:
    6,002
    Likes Received:
    851
    My Phone:
    iPhone XS Space Grey
    Wireless Provider(s):
    AT&T; Tmobile SIM only
    Maybe a mod can delete the duplicates
     
  16. charlyee

    charlyee Ultimate Insanity
    Super Moderator Senior Member

    Joined:
    Dec 16, 2002
    Messages:
    9,902
    Cell Tower Picture Gallery:
    135
    Likes Received:
    1,575
    Location:
    SE Wisconsin
    My Phone:
    iPhone X
    Wireless Provider(s):
    at&t/Airtel/Turkcell
    Done! Thy Wish Is My Command.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. viewfly

    viewfly Mobile RF Advisor
    Senior Member

    Joined:
    Jun 22, 2003
    Messages:
    6,002
    Likes Received:
    851
    My Phone:
    iPhone XS Space Grey
    Wireless Provider(s):
    AT&T; Tmobile SIM only
    Ha. Heal thy self!
     
  18. dmapr

    dmapr Silver Senior Member
    Senior Member

    Joined:
    Dec 4, 2006
    Messages:
    4,453
    Likes Received:
    1,160
    Location:
    Bay Area, CA
    My Phone:
    Pixel XL
    Wireless Provider(s):
    Verizon Wireless; MTS
    Ah yes, that's certainly a possibility.
     

Share This Page

Copyright 1997-2020 Wireless Advisor™, LLC. All rights reserved. All registered and unregistered trademarks are the property of their respective holders.
WirelessAdvisor.com is not associated by ownership or membership with any cellular, PCS or wireless service provider companies and is not meant to be an endorsement of any company or service. Some links on these pages may be paid advertising or paid affiliate programs.

Positive SSL
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice