Since 2003, Xcode has been at the core of program development for Apple OS X and iOS, and Apple has remained confident that their policies, procedures, and security were all in place and rock solid. That all changed last week when Apple confirmed a fraudulent version of Xcode had been used to develop hundreds of applications available on Apple’s App Store, not the least of which is WeChat, which has approximately 500 million users in Asia alone.
On September 16, 2015, researchers at Alibaba reported the existence Xcode malware that they dubbed XcodeGhost. The first report of this new strain of malware appeared on Sina Weibo. Claud Xiao, security researcher at Palo Alto Networks published a blog post discussing the threat and confirming that XcodeGhost is a compiler malware that was injected into unofficial Xcode installers.
“XcodeGhost’s primary behavior in infected iOS apps is to collect information on the devices and upload that data to command and control (C2) servers,” Xiao wrote. “The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate Apps.”
Apple issued a press release on Sunday wherein the company claimed to have removed all the apps that were created by the XcodeGhost infected version of Xcode. At that time, Apple did not disclose how many apps were infected, but chose to focus on three. Apple also did not provide any information for user’s to tell if they had been compromised. Apple further stated that there is no proof that any of the malicious code has been executed.
Despite misleading and incomplete information from Apple, the truth has emerged over the past week. Appthority reported that they were able to identify 476 affected apps and that there are possibly more. They traced the bad code back to April of 2015. There was a shred of good news from Appthority – XcodeGhost is more about tracing user activity than it is about stealing data. FireEye reported finding 4,000 iOS apps infected by XcodeGhost.
Hey Apple, Thanks for the Primer on Doing Security Wrong
Apple’s emphasis on minimizing the perception of the danger presented by XcodeGhost is frustrating to a point of where I once had a full head of hair but now I resemble the new recruits at the opening of Full Metal Jacket. The right thing to do would be to describe the threat, list the infected applications, explain how to remove them, and explain what the company is doing to prevent malware in the App Store in the future. We’ve seen other companies such as Sony, Target, and Anthem Health respond better to security breaches in the past few years. Come on, Apple, the IRS cares more about their users’ well-being than you do.
Apple’s outdated, marketing-driven, head-in-the-sand security policies are putting users at risk. This idea comes from a long-held belief that Macs couldn’t get viruses; but the truth was that Macs were (and are) just as vulnerable as PCs. There are just fewer of them so they aren’t as rich of a target. Apple latched onto this wives’ tale and actually made it official company policy to say that their devices are safer than everyone else’s. I’ve actually had salespeople at the Apple Store tell me that OS X and iOS users don’t need security because the platform is safe. A bold claim with no basis in technical reality. This is a disservice to Mac, iPhone and iPad users who should be encouraged to protect themselves. The Internet is a dangerous place regardless of platform.
Apple argues that because they have control over the App Store, the applications are safe and there is no need to run security software on iOS devices. XcodeGhost shows that they have made a mistake of epic proportions.
There’s a long held principle in security called defense-in-depth that states that you’re better off providing layers of security rather than a single security measure. The reasoning is that no single protection is strong enough but many overlapping protections are. Think about a WWI battlefield – did they have multiple trenches and lines of barbed wire, or did they have one? Think about your home – do you have a fence, a strong door, locks on the door and a security system, or do you just have a strong door? Apple claims that by protecting the entrance to the App Store they are keeping users safe. XcodeGhost shows that they’ve failed to keep users safe. Apple’s refusal to allow security software on the App Store further demonstrates that they would rather promulgate a security myth than protect their users.
Yes, Apple should continue to maintain strong protections over the App Store, the entry point to the device. They should also allow users to protect themselves by running anti-malware software on their devices. Otherwise, they’ve created the biggest “hard on the outside, soft on the inside” network in the world.
And that is a very ripe target for criminals.
Matthew David Sarrel has been practicing and writing about network and information security for over 20 years. He is Executive Director of Sarrel Group, an editorial services/content marketing, product test lab, and information technology consulting company. He is a Contributing Editor for PCMag.com, Triple-G Editor for Backayard Magazine, and contributor to Infoworld, Programmable Web, and numerous other sites and publications. Previously, he was a technical director for PC Magazine Labs. Prior to joining PC Magazine, he served as VP of Engineering and IT Manager at two Internet startups. Earlier, he spent almost 10 years providing IT solutions in HIV-and-TB-related medical research settings at the New Jersey Medical School. Mr. Sarrel has a BA (History) from Cornell University, an MPH (Epidemiology) from Columbia University, and is also a Certified Information Systems Security Professional (CISSP). Mr. Sarrel has written for and spoken to numerous international audiences about information technology and information security. He participated as an expert in two Federal Trade Commission workshops, one about spam in 2003 and one about spyware in 2004. Follow Matt on Twitter. Follow his adventures with Elvis the information security French bulldog on Instagram.
Stratford University, in association with Key Cybersecurity, is offering CISSP, CISA and CEH training and certification courses at many of its Northern Virginia campuses. We will be providing students the hands-on experience with state of the art security solutions like HeurekaCyber’s Cyber Armor and others. Join us at http://www.stratford.edu/cyber in becoming the first line of defense in cybersecuity.