Reactions to the XcodeGhost malware infecting iOS apps

“Unknown malware pushers have managed to trick Apple into offering for download from the company’s official App Store a considerable number of malicious apps.

Here are some of the comments Help Net Security received.

Brian Honan, CEO of BH Consulting and Special Advisor to Europol Cybercrime Centre

This case highlights why companies need to ensure their developers have strict guidelines and controls in place to ensure developers do not download and include malicious material in their own code.

Companies need to be able to stand over the security and integrity of their source code, not just for malicious content, but also to make sure there is no copyright infringement when reusing code or introducing insecure 3rd party code into their application. This attack shows that criminals will target the supply chain in order to access the systems they want.

Raj Samani, VP and CTO EMEA at Intel Security

Our inherent assumption in the integrity of applications, and even new shrink wrapped devices to be a false sense of security.

The reality is that the supply chain for software as well as hardware is often the weakest link and as the latest app store infection now clearly demonstrates no organization is completely immune no matter how high their walled garden.

Xavier Mertens, Independent Security Consultant

In the case of XcodeGhost, the attacker released a malicious version of Xcode containing extra code to steal personal data from the infected device. The malicious Xcode was mainly targeting Chinese apps but some very popular worldwide were also affected (like WeChat).

Let’s put the technical specs aside and focus on two major threats in this story:

1. Why did developers download Xcode from an alternative (read: untrusted) source? You should always use official repositories and control the data by comparing the hashes. Also for many developers, the fact that the code is >3GB is a problem (they don’t have the bandwidth) and they prefer to get their copy from a friend/colleague. This increases the risk to get a malicious copy.

2. Why did Apple validated the malicious apps? Apple is known to have a strong validation process for submitted apps. The malicious code did not implement strong obfuscation techniques. What does it mean? Apple trust some developers or popular apps? Or they are overloaded by the huge amount of submissions which prevent them to perform a strong validation?

Gavin Reid, VP of threat intelligence at Lancope

You’re only as strong as your weakest link. Here we have the walled garden of iTunes being toppled by a 3rd party use of developer software package being distributed out of China. The miscreants attacked a set of software tools for developing iOS applications called Xcode.

Application developers that used the tainted developer package and created applications that compromised the user data on the device. These compromised applications were then submitted to Apple by the typical developers for the app.

One example is WeChat from Tencent it is one of the most installed software apps in the Asia Pacific region with 100 of millions of installs. In this case there is little the user can do to protect itself. The fix for this is better care from the application developers (to security), and better verification from Apple.

Jens Monrad, Systems Engineer at FireEye

Xcode is a software library used to create apps in, and in this case someone has released a version of Xcode containing malicious software, which was uploaded to Baidus (Chinese version of Google) cloud sharing and multiple developers downloaded it. The problem is that several developers have already created apps with that specific Xcode version containing the malicious code, which has bypassed the usual strict app checking in Apple App Store and now Apple is trying to remove any apps created with this version.

This of course puts the end user at risk and therefore all people who can freely download apps from the App Store including enterprise users. It can also be used by cyber criminals to test the waters of Apples security programs and as they were able to bypass it, they might try other methods where they include similar tools like Xcode.

This is the same kind of supply chain attack cyber criminals have been using for years. A common tactic is to weaponise a video game, and then post a pirated copy online. When someone seeks it out and installs it, they open up a backdoor. These supply chain attacks are always going to be a problem when people take shortcuts in obtaining their software and assume theyre getting a true copy.

In this case, the target was iOS developers in China which dramatically extends the reach of the attack. At this point, its probably too soon to say who was impacted and whether its been exploited. We would need to see a full investigation.

Mark Noctor, Director, EMEA Sales at Arxan

The XcodeGhost attack is just one illustration of how easily applications can be modified and then maliciously packaged to unknowingly steal sensitive data or do other nefarious things. The question is not how this happened exploits on applications will certainly continue, if not accelerate. The real question is are there security measures that application developers and publishers should be taking today in order to help strengthen the security of their applications so that they can be trusted?

The answer is yes. Hardening application code before the application is released into the wild is one proactive security measure that can be taken to help mitigate the threat of malicious hackers tampering with the code and reverse-engineering it. Code hardening also can also help maintain the integrity of an application so that the application can be trusted by consumers to perform as the developer and publisher intended.”

Don't miss