It continues to amaze me that people fear the US government more than the fear the very active, very visible and very dangerous hacking activities of Russian gangs; The Russian, Chinese and North Korean governments; and, "run-of-the-mill" hackers out to steal your credentials and drain your credit and bank accounts.
It's like worrying about the Keystone Cops while cheering on Ma Barker, Al Capone and Bonnie and Clyde. (If you don't get the references, use Bing.)
1. Because the US government is known to do this same kind of stuff and to be currently waging political war against tech companies for not granting them a back door so they can cheat when doing surveillance (and not have to do their own work to get access). Who's to say they're not taking the situation into their own hands with this very exploit? The NSA is immune to law, so the DMCA and Patriot act computer terrorism language doesn't apply to them (as in, the government sides with itself when such things come to light, and instead they attack the whistle blowers, make the people attack the whistle blowers, instead of reigning in its unlawful behavior... well, what would be unlawful of anyone ELSE to do...).
2. Because the USA is a known bully in international affairs, which has been ruining its reputation in the global sense for decades now.
3. Because there are American citizens that resent being spied on by their OWN government more than they resent being attacked by foreign computer geek groups (regardless of how government sponsored those hack/crack geeks are or not).
Need we keep listing reasons???
EDIT: such as how a large percentage of impacted users are Chinese...
Apple can always shut down the apps and force the developers to issue a clean newly compiled version.
Apps can also be automatically screened for identified malware code.
And developers who keep breaking the rules can be banned.
The situation is a lot easier to correct than on Android.
How is it easier to correct than on Android? Sure the stagefright bug is more tough due to the nature of how all carriers/OEM's need to be on board, but if looking at solely Play Store/App Store issues, Google also screens/scans apps for malicious code and ban devs for breaking rules.
Palo Alto noted that to get a modified version of Xcode, affected developers would've had to disable Apple security features. The hackers also appear to have exploited the tendency for Chinese developers to download Xcode from local servers, since connections to Apple servers can be much slower.
Not surprising that developers would circumvent security Apple's security measures. It is surprising that Apple's approval process would let malformed applications get through the screening process. Apple needs better automated tools and processes to weed out bad actor apps. Governments need better tools to identify, locate, and annihilate the creators of malware.
This reminds us that security is a problem just continues to get bigger and badder every day. Every one of the things that mankind has created to make our lives better through the application of technology over the last 50 years is at risk of being attacked and destroyed. The current approaches to software security seems to be too piecemeal and reactionary. Until the fundamental DNA-level of how software is created and executed, down to the bare metal level, is recreated to be inherently secure then we'll be in a never ending game of whack-a-mole. The days of putting the largest onus of security enforcement (authorization, authentication, non-repudiation) on the software alone needs to come to an end.
It continues to amaze me that people fear the US government more than the fear the very active, very visible and very dangerous hacking activities of Russian gangs; The Russian, Chinese and North Korean governments; and, "run-of-the-mill" hackers out to steal your credentials and drain your credit and bank accounts.
Conspiracies are always more interesting than reality
People always want to believe. Heck it was the tag line for the X Files...
Hard dispel that very possibility... UNLESS you agree with my first snarky statement.
Sigh - the solution to this "problem" is simple - download Xcode only from Apple!
The most basic tenant of computer security - know the chain and trust the source of the code you are running. People are downloading locally because Apple's servers tend to be slower - seriously?!? Slower than a 28.8 modem?
Choosing convenience over security - and amazingly that causes problems. I love how people are jumping all over these weird philosophical discussions when the root issue is so incredibly stupid as well as EASY to solve. Don't be an idiot! Looks like the best thing Apple can do is put a caching server behind the great firewall if China will let them.
This is a problem created entirely by the government of China and their warped internet policies. Whether it was an intended outcome or a happy by product, I would be shocked if they weren't pleased knowing it was at least possible.
How is it easier to correct than on Android? Sure the stagefright bug is more tough due to the nature of how all carriers/OEM's need to be on board, but if looking at solely Play Store/App Store issues, Google also screens/scans apps for malicious code and ban devs for breaking rules.
Yup - Google has similar capabilities if users download from the play store - but it's far easier to get bad stuff on the play store in the first place, and also it's far easier to load stuff from places other than the play store!
So yes, it's far easier for Apple to correct something like this when discovered and have a lot greater confidence that the problems can be cleaned up. Fundamental differences in how the platforms are architected ensure it. No one platform is perfect as this proves - but iOS is far easier to secure and keep secure.
Perhaps someone can point me to problematic code here. I didn’t find anything that’s obviously malicious. Maybe I’m wrong, but it looks like doing the same as those crashlog, app usage things like flurry that are unfortunately common nowadays.
The code sends data to cloud-analysis.com. The domain was anonymously registered.
The code does read device and user values available for every developer. A reason to delete the app because of hurting privacy rules.
I wonder who found evidence that iCloud account data was breached here. I don’t say it’s impossible, but I would rule it out from what I saw until now.
2. That’s in fact the code you find when you decompile the app CamScanner
What I did after I got a total panic and found it on my phone.
If this is the whole code I don’t see anything to be concerned.
I will follow the news closely in order to find more if available.
3. Why I’m still a bit worried
First of all apps that communicate with domains that have neither a valid SSL certificate nor a proper Information about the domain owner should not be allowed in the App Store. (I know that will cause a lot of headache for smaller developers. At least anonymous domains should be dropped.)
It’s at least a big privacy problem that should be addressed.
Second, I can imagine attack vectors through Xcode. And I'm sure secret services and criminal groups are working on it.
Developers use plugins, third party libraries etc.
It’s possible to breach devices this way. But the same is true for every IDE.
Otherwise there would be no malicious code at all.
At least Apple should think about ways to suppress modified copies of it’s developer tools in order to prevent spreading this kind of BS.
About 40 infected apps made it onto the App Store, according to security researchers with Palo Alto Networks. Some of the apps were extremely high-profile, including WeChat and a popular ridesharing service, Didi Kuaidi. Palo Alto said that it was working with Apple and developers to asses the impact of the security breach. Chinese security firm Qohoo claimed that over 300 apps were infected.
Sigh - the solution to this "problem" is simple - download Xcode only from Apple!
<SNIPPED>
From my other post in this thread in case you missed it:
Government tampering: if China can do it, so can the intelligence agencies around the world. And if not via sharing lockers, then via packet/download intercepts and WiFi/router holes between developers and official Apple.
You see... the problem is that xCode AND hence Apple App Store can be spoofed into "thinking" and/or not seeing the apps created from a derivative of xcode.
Has really not a whole lot to do with where xcode is downloaded, because that can be compromised easily even if you think it's directly from Apple.
It's nice that folks eventually did what the article should and could have: posted lists or links to them.
I had a weird experience probably unrelated to this two days ago when I purchased Purify in the App Store,
and rather than use my account info without question, I was required to verify and re-verify my payment info.
Maybe it had to do with updating to iOS9, since 'wallet' seems a little different than passbook or whatever it was before.
Anyone else had this happen after updating to iOS9?
Vaguely remember previous updates you have to do that. Update to Terms of Service usually. I could be wrong. To test, I just went and bought Purify and only had to put in password for the App Store.
1. Because the US government is known to do this same kind of stuff and to be currently waging political war against tech companies for not granting them a back door so they can cheat when doing surveillance (and not have to do their own work to get access). Who's to say they're not taking the situation into their own hands with this very exploit? The NSA is immune to law, so the DMCA and Patriot act computer terrorism language doesn't apply to them (as in, the government sides with itself when such things come to light, and instead they attack the whistle blowers, make the people attack the whistle blowers, instead of reigning in its unlawful behavior... well, what would be unlawful of anyone ELSE to do...).
2. Because the USA is a known bully in international affairs, which has been ruining its reputation in the global sense for decades now.
3. Because there are American citizens that resent being spied on by their OWN government more than they resent being attacked by foreign computer geek groups (regardless of how government sponsored those hack/crack geeks are or not).
Need we keep listing reasons???
EDIT: such as how a large percentage of impacted users are Chinese...
Believe me... You are not so important that the US government will feel the need to spy on you. And, if you were because of your suspicious activity, then too bad. Hackers, not the US government steal from everyday people and corporations to the tune of billions of dollars. Worry about them. As for the US spying on Chinese citizens— even if they did, it would be a drop in the bucket to the spying done by the Chinese on its own citizens.
You really need to re-evaluate your concerns. The US is not near the nefarious culprit you think. Even its infamous NSA eavesdropping efforts collects more information than they can ever peruse. Their computers look for known phone numbers and key words and phrases. The likelihood of a specific person being singled out is very small. The vast majority of people just don't fit their profile.
Now, chew on this: the Russians and Chinese tap into undersea cables. They also have spy satellites. And they perform massive hacking attempts. Worry about them. Too.
all hackers are dangerous for society and every person. They can steal you money, credential, freedom and life. Every body has to make its oder what is for him most valuable. And none of hackers group is completely under control of any government. And governments are usually puppets.
None? The Chinese and North Koreans both run well known hacking organizations as a part of their military. The Russians may as well. And, if they don't, they are widely suspected of contracting with the same. In case you are not aware of it, hacking is a part of the asymmetrical war being waged by governments everyday.
Sigh - the solution to this "problem" is simple - download Xcode only from Apple!
The most basic tenant of computer security - know the chain and trust the source of the code you are running. People are downloading locally because Apple's servers tend to be slower - seriously?!? Slower than a 28.8 modem?
Choosing convenience over security - and amazingly that causes problems. I love how people are jumping all over these weird philosophical discussions when the root issue is so incredibly stupid as well as EASY to solve. Don't be an idiot! Looks like the best thing Apple can do is put a caching server behind the great firewall if China will let them.
This is a problem created entirely by the government of China and their warped internet policies. Whether it was an intended outcome or a happy by product, I would be shocked if they weren't pleased knowing it was at least possible.
This assumes the app developer didn't know fully what they were doing.
Perhaps Apple should do the compiling with an online version of Xcode. Developers upload their raw source code so Apple can review it. With compiled executables it is not so easy to catch hidden functionality. I know developers don't want to release their source code but it is only with Apple which I think can be trusted.
Good grief! I can't believe it's finally happened! Get ready for all the iOS doom articles.
Of course it's important to remember that this is iOS's first real report of malware, and Android is at, like a billion. Not only that, but technically iOS is older than Android, and this is their first malware emergency! That makes them a billion times more secure than Andriod. Times 10.
Comments
1. Because the US government is known to do this same kind of stuff and to be currently waging political war against tech companies for not granting them a back door so they can cheat when doing surveillance (and not have to do their own work to get access). Who's to say they're not taking the situation into their own hands with this very exploit? The NSA is immune to law, so the DMCA and Patriot act computer terrorism language doesn't apply to them (as in, the government sides with itself when such things come to light, and instead they attack the whistle blowers, make the people attack the whistle blowers, instead of reigning in its unlawful behavior... well, what would be unlawful of anyone ELSE to do...).
2. Because the USA is a known bully in international affairs, which has been ruining its reputation in the global sense for decades now.
3. Because there are American citizens that resent being spied on by their OWN government more than they resent being attacked by foreign computer geek groups (regardless of how government sponsored those hack/crack geeks are or not).
Need we keep listing reasons???
EDIT: such as how a large percentage of impacted users are Chinese...
Apple can always shut down the apps and force the developers to issue a clean newly compiled version.
Apps can also be automatically screened for identified malware code.
And developers who keep breaking the rules can be banned.
The situation is a lot easier to correct than on Android.
How is it easier to correct than on Android? Sure the stagefright bug is more tough due to the nature of how all carriers/OEM's need to be on board, but if looking at solely Play Store/App Store issues, Google also screens/scans apps for malicious code and ban devs for breaking rules.
For once a far better and more definitive article on MacRumors including apps to remove immediately.
http://www.macrumors.com/2015/09/20/xcodeghost-chinese-malware-faq/
Not surprising that developers would circumvent security Apple's security measures. It is surprising that Apple's approval process would let malformed applications get through the screening process. Apple needs better automated tools and processes to weed out bad actor apps. Governments need better tools to identify, locate, and annihilate the creators of malware.
This reminds us that security is a problem just continues to get bigger and badder every day. Every one of the things that mankind has created to make our lives better through the application of technology over the last 50 years is at risk of being attacked and destroyed. The current approaches to software security seems to be too piecemeal and reactionary. Until the fundamental DNA-level of how software is created and executed, down to the bare metal level, is recreated to be inherently secure then we'll be in a never ending game of whack-a-mole. The days of putting the largest onus of security enforcement (authorization, authentication, non-repudiation) on the software alone needs to come to an end.
Conspiracies are always more interesting than reality
People always want to believe. Heck it was the tag line for the X Files...
Sigh - the solution to this "problem" is simple - download Xcode only from Apple!
The most basic tenant of computer security - know the chain and trust the source of the code you are running. People are downloading locally because Apple's servers tend to be slower - seriously?!? Slower than a 28.8 modem?
Choosing convenience over security - and amazingly that causes problems. I love how people are jumping all over these weird philosophical discussions when the root issue is so incredibly stupid as well as EASY to solve. Don't be an idiot! Looks like the best thing Apple can do is put a caching server behind the great firewall if China will let them.
This is a problem created entirely by the government of China and their warped internet policies. Whether it was an intended outcome or a happy by product, I would be shocked if they weren't pleased knowing it was at least possible.
Yup - Google has similar capabilities if users download from the play store - but it's far easier to get bad stuff on the play store in the first place, and also it's far easier to load stuff from places other than the play store!
So yes, it's far easier for Apple to correct something like this when discovered and have a lot greater confidence that the problems can be cleaned up. Fundamental differences in how the platforms are architected ensure it. No one platform is perfect as this proves - but iOS is far easier to secure and keep secure.
A lot of noise here and a bit too much hyperbole and hysteria here.
With a tip from a forum and after some short research I found the following:
1. There’s the code on Github
https://github.com/XcodeGhostSource/XcodeGhost
Perhaps someone can point me to problematic code here. I didn’t find anything that’s obviously malicious. Maybe I’m wrong, but it looks like doing the same as those crashlog, app usage things like flurry that are unfortunately common nowadays.
The code sends data to cloud-analysis.com. The domain was anonymously registered.
NSURL *url = [NSURL URLWithString:@"http://init.icloud-analysis.com"];
The code does read device and user values available for every developer. A reason to delete the app because of hurting privacy rules.
I wonder who found evidence that iCloud account data was breached here. I don’t say it’s impossible, but I would rule it out from what I saw until now.
2. That’s in fact the code you find when you decompile the app CamScanner
What I did after I got a total panic and found it on my phone.
If this is the whole code I don’t see anything to be concerned.
I will follow the news closely in order to find more if available.
3. Why I’m still a bit worried
First of all apps that communicate with domains that have neither a valid SSL certificate nor a proper Information about the domain owner should not be allowed in the App Store. (I know that will cause a lot of headache for smaller developers. At least anonymous domains should be dropped.)
It’s at least a big privacy problem that should be addressed.
Second, I can imagine attack vectors through Xcode. And I'm sure secret services and criminal groups are working on it.
Developers use plugins, third party libraries etc.
It’s possible to breach devices this way. But the same is true for every IDE.
Otherwise there would be no malicious code at all.
At least Apple should think about ways to suppress modified copies of it’s developer tools in order to prevent spreading this kind of BS.
Infected iOS apps
????? 2.8.3
?? 6.2.5
????? 5.1.1463
???? 4.0.0.6-4.0.0.0
???? 3.9.7.1 – 3.9.7
??12306 4.5
??? 4.3.2
51???? 5.0.1
???????? 3.3.12
????????? 3.2
???? 7.3.8
?? 2.9.1
?? 1.8.0
Lifesmart 1.0.44
????? 4.2.8
???? 1.1.0
??? 1.12.1
???? 4.3.8
???? 1.6.0
??? 9.60.01
????? 7.73
????
????
????
CamScanner
CamCard
SegmentFault 2.8
?????
????
???
????
OPlayer 2.1.05
??????? 3.6.5
?????2 2.1.1
????? 1.2
?? 6.6.6
??MT 5.0.1
??MT 2 1.10.5
???? 1.1.0
Damn! What's the chances, I just downloaded every single one of those. I have a penchant for apps with squiggly names.
About 40 infected apps made it onto the App Store, according to security researchers with Palo Alto Networks. Some of the apps were extremely high-profile, including WeChat and a popular ridesharing service, Didi Kuaidi. Palo Alto said that it was working with Apple and developers to asses the impact of the security breach. Chinese security firm Qohoo claimed that over 300 apps were infected.
...
I assume they will just wipe it clean...
The second part of the list which you missed has many more common and English titled apps.
Mercury
WinZip
Musical.ly
PDFReader
guaji_gangtai en
Perfect365
?????
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
???
ting
installer
???
golfsensehd
Wallpapers10000
CSMBP-AppStore
????
MSL108
ChinaUnicom3.x
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
??
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
????
BiaoQingBao
SaveSnap
WeChat
Guitar Master
jin
WinZip Sector
Quick Save
CamCard
From my other post in this thread in case you missed it:
Government tampering: if China can do it, so can the intelligence agencies around the world. And if not via sharing lockers, then via packet/download intercepts and WiFi/router holes between developers and official Apple.
You see... the problem is that xCode AND hence Apple App Store can be spoofed into "thinking" and/or not seeing the apps created from a derivative of xcode.
Has really not a whole lot to do with where xcode is downloaded, because that can be compromised easily even if you think it's directly from Apple.
It's nice that folks eventually did what the article should and could have: posted lists or links to them.
I had a weird experience probably unrelated to this two days ago when I purchased Purify in the App Store,
and rather than use my account info without question, I was required to verify and re-verify my payment info.
Maybe it had to do with updating to iOS9, since 'wallet' seems a little different than passbook or whatever it was before.
Anyone else had this happen after updating to iOS9?
It's nice that folks eventually did what the article should and could have: posted lists or links to them.
I had a weird experience probably unrelated to this two days ago when I purchased Purify in the App Store,
and rather than use my account info without question, I was required to verify and re-verify my payment info.
Maybe it had to do with updating to iOS9, since 'wallet' seems a little different than passbook or whatever it was before.
Anyone else had this happen after updating to iOS9?
Vaguely remember previous updates you have to do that. Update to Terms of Service usually. I could be wrong. To test, I just went and bought Purify and only had to put in password for the App Store.
You really need to re-evaluate your concerns. The US is not near the nefarious culprit you think. Even its infamous NSA eavesdropping efforts collects more information than they can ever peruse. Their computers look for known phone numbers and key words and phrases. The likelihood of a specific person being singled out is very small. The vast majority of people just don't fit their profile.
Now, chew on this: the Russians and Chinese tap into undersea cables. They also have spy satellites. And they perform massive hacking attempts. Worry about them. Too.
Perhaps Apple should do the compiling with an online version of Xcode. Developers upload their raw source code so Apple can review it. With compiled executables it is not so easy to catch hidden functionality. I know developers don't want to release their source code but it is only with Apple which I think can be trusted.
Of course it's important to remember that this is iOS's first real report of malware, and Android is at, like a billion. Not only that, but technically iOS is older than Android, and this is their first malware emergency! That makes them a billion times more secure than Andriod. Times 10.
[looks at Clinton]