Malicious Apps Compromise Apple’s App Store
5th of October, 2015
Last week, Apple’s seldom-disrupted App Store was compromised as malicious applications (apps) were discovered in their Chinese App Store––an extremely rare occurrence. Included in the list of apps infected with malware was China’s very own messaging giant, WeChat.
As TechCrunch mentioned last week, app developers were tricked into downloading a compromised version of Apple’s Xcode developer toolkit. Xcode is the software provided to app developers by Apple in order to build products for Apple’s App Store. The malware-infected software, later named XcodeGhost, would allow the unknown attackers to gain access to users’ private information and login credentials. The video below by CNN Money delves deeper into this story. We should note that while the video brings up the Chinese Government as the possible mastermind of the attack, there is not yet enough information to make the claim. If you would like to learn more about the Chinese Government and their relation to mobile apps, check out our article Protecting Freedom of Speech with Encrypted Messengers.
In addition to the previously mentioned app giant, WeChat, about 40 applications were said to be affected; however, other outlets have reported more infections, with some counts eclipsing 4000 apps. AppleInsider lists 25 of the most popular apps affected by the counterfeit software XcodeGhost.
A Negligent Apple?
The obvious question that stems from this incident, which was wellcovered by ComputerWorld, is whether or not it was negligence on the part of Apple that lead to this compromise of the App Store. According to ComputerWorld’s article, Apple’s mistake is far less important than their response to the flaws that enabled the hack. No company is perfect, and just the fact that their attack has shocked so many speaks to the stellar record Apple has cultivated.
Tentatively shifting some of the responsibility from Apple, ComputerWorld expressed that developers also hold a sizeable portion of the blame as well. “Apple will ensure that you’re using a published API to [open and write to a file]. It will make sure that your app behaves as expected with regards to that file. But if you choose to put client information into that file without encrypting it, that’s really not Apple’s concern — nor should it be, if you ask me. That is business-level security and must be applied by the developer”. As of now, we’re anxiously anticipating Apple’s response, and their plan to prevent future attacks in the wake of them pulling the infected apps.
About Ryan Jeethan
Ryan is a graduate of the University of Waterloo’s Arts & Business program focusing on UW’s unique Speech Communication program.