They were tricked!
A group of hackers created a counterfeit version of the software used to build apps for Apple’s app store. This software was then downloaded by developers in China who were duped into thinking that it was genuine.
The malicious code allowed the hackers to collect user data from apps created/updated using the software.
“Xcodeghost” – dubbed by Cybersecurity firm Palo Alto networks – would also be able to send fake alerts to infected devices to trick users into revealing sensitive information.
More worryingly, it could also read and alter information in compromised devices. This could give them the ability to see logins copied to and from password management tools.
In reference to some of the infected apps, such as; WeChat, NetEase’s music downloading app and a cab hailing app similar to Uber, Apple spokeswoman Christine Monaghan said “We’ve removed the apps from the App Store that we know have been created with this counterfeit software”.
She added “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps”.
This type of attack should not happen within the fortress of Apple’s app store. The company has gone to great efforts and invested heavily in ensuring that any app passed trough the gates is thoroughly checked for quality, usability and above anything, security.
It comes back to acknowledging the biggest security threat to any organisation, human error. This is not to discount the work by our “bad guys” to cover up their code in a seemingly clean and identical version of the software. But people who would normally notice these attacks, just could not detect it. Even with high levels of security in development and approval, a culture of security must also be in place. ISO 27001 is not the answer to malware attacks or security breaches, but is a guidance on best practice for protecting information. It sets in motion a culture within your organisation to apply critical risk methodology when developing new software, installing new hardware or even hiring new staff.
In areas like China, network speeds are quite slow when downloading large files. To download the official Apple app development software, Xcode, weighing in at a whopping three gigabytes, it could take some time to get to work. This impels developers to go elsewhere for shortcuts. Several versions of the malicious software Xcodeghost had been uploaded to developer forums under the guise of the genuine product.
Regardless of this embarrassing publicity, there should not be any implications on the sale of Apple products. There has been no breach of personal information recorded and the effected versions of the apps have been removed from the app store.