Well, it finally happened. Long touted as an alternative both more secure and more entertaining than Android, Apple’s infamously locked-down marketplace has finally suffered a major breach. How did this happen, who is affected, and how much should we be panicking?
Xcode — Ghosted
The breach centers around Apple’s integrated development environment (IDE), known as Xcode. This is a set of free tools available to registered developers allowing them to create apps for the iOS and OSx operating systems. Basically, every app you use on your iPhone or MacBook utilizes Xcode in some way.
Thirty-nine apps, mostly used in the China and the Asia-Pacific region, were discovered to be using a malicious version of Xcode. This variant, known as XcodeGhost, had altered code that forced the app it was part of to report to a command and control server, thus making the phones it was installed on into a kind of botnet. Instead of launching DDOS attacks, however, the creators of XcodeGhost used the infected apps to slurp down information about the user’s device — what version of iPhone, what carrier it was running on, the unique identifier for the device, and so forth.
This wasn’t the kind of information that could be used to steal your identity and crack open your bank account. However, it would make your phone a much softer target for hacking. In addition, security researchers are still investigating the possibility that the infected apps could receive instructions. Were this the case, it would be easy for the black-hats (whoever they are) to send a series of falsified notifications that could trick the user into revealing personally identifiable information. Furthermore, as Apple can only disable these apps from being sold in the app store — as opposed to proactively removing them from users’ devices — this software could be lying dormant on an untold number of phones, lying in wait for the perfect moment to strike. Cue scary music.
How Did This Happen?
Apple is pretty crazy about security. Every app submitted to their app store has to go through an extremely secretive vetting process, which has resulted in a very low rate of incidents compared to Android. How did these malicious apps sneak past the auditors?
With almost any widespread, successful attack, hacking human beings is as important as hacking software. Humans are unsubtle creatures, so by pulling on obvious levers such as fear, boredom, and the pressure of time, a skilled hacker can make us dance like puppets. In this instance, hackers used all of these little handles, plus one additional fact:
The internet in China is brutally slow.
Consider the life of a software developer. Time-to-market is your only God, so you work 80-hour weeks. You are eminently replaceable, and if you find that you’re taking too long on a particular task, you’re automatically afraid for your job. Xcode, with the iPhone SDK, is a 3.59 gigabyte download, and you’re in China. Business travelers will know that checking anything hosted on an international server while in China takes a glacial age. Imagine if you were on a deadline, in China, and your job depended on being able to download a 3.59 gigabyte file from a server somewhere in California.
If you’re like me, the appearance of that same file on a domestic file-sharing site would seem like an unadulterated blessing, right?
This is how the developers were ambushed. They wanted to save time and keep their jobs, and they ended up downloading a compromised SDK.
There would seem to be some obvious lessons here, like “don’t download files from anyone except their official distributor,” but again, in the world of software development, other concerns trump security. Don’t just take my word for it. A report from the Ponemon Institute comes to similar sobering conclusions, such as the fact that over half of developers never test apps for security.
This is bad, you guys
Conclusions
As I write this article, the security folks at Apple, Inc. are no doubt busily making sure that nothing like this can ever happen again. And to be fair, I don’t quite blame Apple for letting this one slide. I don’t quite blame the individual developers either. Mobile app development is incredibly broken in terms of the way that it handles security and treats its employees, and I’m sure that’s much more of a factor here than anything Apple could or should have done.
Lastly, if you’re reading this article, you’re probably an American, or an English-speaker, and as such, are unlikely to be affected personally by this hack. If you suspect you have been — say if you’ve downloaded anything from the Chinese app store — refer to the list of apps linked in the first paragraph, and delete. Keep an eye on the news, as more infections may be confirmed. If you have coding experience, a more technical explanation of how to check your phone is available here.
And remember, if this incident has finally soured you on the iPhone, Windows phones are supposed to be quite secure.