Perhaps Apple should do the compiling with an online version of Xcode. Developers upload their raw source code so Apple can review it. With compiled executables it is not so easy to catch hidden functionality. I know developers don't want to release their source code but it is only with Apple which I think can be trusted.
The devs got a Gatekeeper warning that Xcode.app is damaged and can't be opened. With a following "You should move it to the trash." and the information when and from where the app was downloaded.
Perhaps Apple should first check the Xcode integrity through the Gatekeeper safeguards before allowing the submission of any app.
None? The Chinese and North Koreans both run well known hacking organizations as a part of their military. The Russians may as well. And, if they don't, they are widely suspected of contracting with the same. In case you are not aware of it, hacking is a part of the asymmetrical war being waged by governments everyday.
Yes. This is an important part of the picture around the world right now. There is no question that this is going on, in an intentional and offensive manner.
The scary bit here is that this is just one hole that's been plugged up Apple, Google, and Microsoft all have cleaned up messes recently, but what of the undetected threats that remain in place? "Millions of apps" in an online store have never looked attractive to me. I prefer to stick to a handful of (hopefully) well-vetted apps.
The devs got a Gatekeeper warning that Xcode.app is damaged and can't be opened. With a following "You should move it to the trash." and the information when and from where the app was downloaded.
Perhaps Apple should first check the Xcode integrity through the Gatekeeper safeguards before allowing the submission of any app.
In order to download an app from someplace other than Apple you need to turn off Gatekeeper. I'm surprised they got a Gatekeeper warning at all. It was my understanding that once an unsigned third party app has been launched for the first time, it is no longer subject to security screening.
Palo Alto noted that to get a modified version of Xcode, affected developers would've had to disable Apple security features. The hackers also appear to have exploited the tendency for Chinese developers to download Xcode from local servers, since connections to Apple servers can be much slower.
This says it all. These developers need to be banned for life from submitting any iOS apps. I think just about every report of OS X or iOS malware involves bypassing Apple’ security features (i.e. jailbroken iOS devices and OS X Gatekeeper being turned off). There’s only so much any company can do about security if your users are stupid enough to turn off the security protections.
Somebody want to explain to me logically why this is totally Apple’s fault and not the dumb-assed developers who downloaded a compromised Xcode installer from a pirate site. Oh, and 95% of this is happening in China also.
May be some one hacked into Apple database? Maybe an insider stole the source code?
Quote:
Originally Posted by mstone
I know. How did they reverse engineer it or decompile it?
No.
Quote:
Originally Posted by waterrockets
Yes. This is an important part of the picture around the world right now. There is no question that this is going on, in an intentional and offensive manner.
The scary bit here is that this is just one hole that's been plugged up Apple, Google, and Microsoft all have cleaned up messes recently, but what of the undetected threats that remain in place? "Millions of apps" in an online store have never looked attractive to me. I prefer to stick to a handful of (hopefully) well-vetted apps.
It’s called irrational paranoia, the idea that there’s a hacker hiding behind every bush waiting to jump out at you. This myth is usually propagated by neckbeard techie wannabes (and security researchers) who like scaring people. Common sense is really all you need to protect yourself but many users don’t even have the slightest scintilla of that either.
Conspiracies are always more interesting than reality
People always want to believe. Heck it was the tag line for the X Files...
Except when you look at Chinese, you don'T need conspiracies, they'Ve been caught actually doing large scale redirects, and hacks before. Funny how the same people who believe that the NSA is doing all sort of crap can'T believe the Chinese or Russians are doing something when they have less restrictions.
Common sense is really all you need to protect yourself but many users don’t even have the slightest scintilla of that either.
Well, that's the problem, though. It's not directly my problem, but we're all affected daily by those possessing less common sense.
That said, the fear is legit at some level. I've had code stolen by a nation state from a "secure" corporate network. I think it's more likely that a modern American professional has had his/her data compromised than not.
In order to download an app from someplace other than Apple you need to turn off Gatekeeper. I'm surprised they got a Gatekeeper warning at all. It was my understanding that once an unsigned third party app has been launched for the first time, it is no longer subject to security screening.
It's right what you wrote. They got either a warning they dismissed or are running dev systems with Gatekeeper (and firewalls?) turned off.
Neither should be done on a system that deploys code for thousands of users.
My point is that Apple should think about making an exception for dev and deployment apps like Xcode.
Regardless if Gatekeeper is turned off the execution should be blocked for the build and submission process.
Like any other software, You should be downloading it directly from the SOURCE!!! in this case APPLE!!! Not some 3rd party source where they can do crap like this, or in a case of someplace like download.com where spyware and other crap gets placed in the installer. XCode should always be downloaded from APPLE, and Apple ONLY!!!!
Like any other software, You should be downloading it directly from the SOURCE!!! in this case APPLE!!! Not some 3rd party source where they can do crap like this, or in a case of someplace like download.com where spyware and other crap gets placed in the installer. XCode should always be downloaded from APPLE, and Apple ONLY!!!!
Who are you talking to? Over 80% of smartphone users use Android phones. They don't care where to download.
Like any other software, You should be downloading it directly from the SOURCE!!! in this case APPLE!!! Not some 3rd party source where they can do crap like this, or in a case of someplace like download.com where spyware and other crap gets placed in the installer. XCode should always be downloaded from APPLE, and Apple ONLY!!!!
Quote:
Originally Posted by AppleInsider
The hackers also appear to have exploited the tendency for Chinese developers to download Xcode from local servers, since connections to Apple servers can be much slower.
Are the servers for App Store in China not located in China?
This says it all. These developers need to be banned for life from submitting any iOS apps. I think just about every report of OS X or iOS malware involves bypassing Apple’ security features (i.e. jailbroken iOS devices and OS X Gatekeeper being turned off). There’s only so much any company can do about security if your users are stupid enough to turn off the security protections.
Somebody want to explain to me logically why this is totally Apple’s fault and not the dumb-assed developers who downloaded a compromised Xcode installer from a pirate site. Oh, and 95% of this is happening in China also.
1. Does the bad Xcode always generates the malware regardless of the app produced? or does a dev have to have knowledge of the Xcode compromise to develop the malware
2. Is Apple app vetting using security through obscurity, by making the assumption that the underlying source is legitimate, thus they are not verifying the integrity of the base code. This to me would explain how it became good on apple app store. (We are not talking third party app store here, where it is a high probability of this happening).
3. Had Apple been checking all base code these apps would not have made it through. Apple would have then detected an attempted hack and been able to reject the apps and ask the dev to please download Xcode from apple app store and recompile and resubmit. They would have also been able to further vet the devs. They would also know that Xcode was compromised in some way.
4. Its possible that apple knew about this and let it continue, so that they can track down the source of the exploit.
It’s called irrational paranoia, the idea that there’s a hacker hiding behind every bush waiting to jump out at you. This myth is usually propagated by neckbeard techie wannabes (and security researchers) who like scaring people. Common sense is really all you need to protect yourself but many users don’t even have the slightest scintilla of that either.
While in most cases I'd agree, in this specific case I don't. Common sense does not protect you from getting compromised through downloading an app through the AppStore. From my understanding wer are just lucky that the malicious code does not appear to be very harmful.
Are the servers for App Store in China not located in China?
Originally Posted by Haggar
Yes, but the Apple server for downloading Xcode is NOT. That’s why the Chinese developers were bypassing Apple directly and using the file sharing site instead of going to Apple to get Xcode. Chinese Internet filters and censorship made it very time consuming to get Xcode from Apple so they went instead to the file sharing site and got the modified version containing the malware which in turn automagically inserted the malware into the developer’s app. Then the developer unknowingly submitted the infected app to the App Store. I guess the argument is whether the App Store should have detected the malware before making it available for download. Some say yes, some say no. The usual suspects are always eager to lay it all at Apple’s feet.
The big question no one is concentrating on is how many apps made it to the U.S. and European App Stores? Not very many it would appear. This whole thing is mostly happening in China.
Comments
Perhaps Apple should do the compiling with an online version of Xcode. Developers upload their raw source code so Apple can review it. With compiled executables it is not so easy to catch hidden functionality. I know developers don't want to release their source code but it is only with Apple which I think can be trusted.
The devs got a Gatekeeper warning that Xcode.app is damaged and can't be opened. With a following "You should move it to the trash." and the information when and from where the app was downloaded.
Perhaps Apple should first check the Xcode integrity through the Gatekeeper safeguards before allowing the submission of any app.
Is Xcode open source? This is a big question. If so, this is an Apple failure If not, this is a criminal case.
all hackers are dangerous for society and every person.
Did STUXNET save lives or endanger them?
None? The Chinese and North Koreans both run well known hacking organizations as a part of their military. The Russians may as well. And, if they don't, they are widely suspected of contracting with the same. In case you are not aware of it, hacking is a part of the asymmetrical war being waged by governments everyday.
Yes. This is an important part of the picture around the world right now. There is no question that this is going on, in an intentional and offensive manner.
The scary bit here is that this is just one hole that's been plugged up Apple, Google, and Microsoft all have cleaned up messes recently, but what of the undetected threats that remain in place? "Millions of apps" in an online store have never looked attractive to me. I prefer to stick to a handful of (hopefully) well-vetted apps.
Is Xcode open source? This is a big question. If so, this is an Apple failure If not, this is a criminal case.
I know. How did they reverse engineer it or decompile it?
I know. How did they reverse engineer it or decompile it?
May be some one hacked into Apple database? Maybe an insider stole the source code?
The devs got a Gatekeeper warning that Xcode.app is damaged and can't be opened. With a following "You should move it to the trash." and the information when and from where the app was downloaded.
Perhaps Apple should first check the Xcode integrity through the Gatekeeper safeguards before allowing the submission of any app.
In order to download an app from someplace other than Apple you need to turn off Gatekeeper. I'm surprised they got a Gatekeeper warning at all. It was my understanding that once an unsigned third party app has been launched for the first time, it is no longer subject to security screening.
Palo Alto noted that to get a modified version of Xcode, affected developers would've had to disable Apple security features. The hackers also appear to have exploited the tendency for Chinese developers to download Xcode from local servers, since connections to Apple servers can be much slower.
This says it all. These developers need to be banned for life from submitting any iOS apps. I think just about every report of OS X or iOS malware involves bypassing Apple’ security features (i.e. jailbroken iOS devices and OS X Gatekeeper being turned off). There’s only so much any company can do about security if your users are stupid enough to turn off the security protections.
Somebody want to explain to me logically why this is totally Apple’s fault and not the dumb-assed developers who downloaded a compromised Xcode installer from a pirate site. Oh, and 95% of this is happening in China also.
May be some one hacked into Apple database? Maybe an insider stole the source code?
I know. How did they reverse engineer it or decompile it?
No.
Yes. This is an important part of the picture around the world right now. There is no question that this is going on, in an intentional and offensive manner.
The scary bit here is that this is just one hole that's been plugged up Apple, Google, and Microsoft all have cleaned up messes recently, but what of the undetected threats that remain in place? "Millions of apps" in an online store have never looked attractive to me. I prefer to stick to a handful of (hopefully) well-vetted apps.
It’s called irrational paranoia, the idea that there’s a hacker hiding behind every bush waiting to jump out at you. This myth is usually propagated by neckbeard techie wannabes (and security researchers) who like scaring people. Common sense is really all you need to protect yourself but many users don’t even have the slightest scintilla of that either.
Conspiracies are always more interesting than reality
People always want to believe. Heck it was the tag line for the X Files...
Except when you look at Chinese, you don'T need conspiracies, they'Ve been caught actually doing large scale redirects, and hacks before. Funny how the same people who believe that the NSA is doing all sort of crap can'T believe the Chinese or Russians are doing something when they have less restrictions.
Common sense is really all you need to protect yourself but many users don’t even have the slightest scintilla of that either.
Well, that's the problem, though. It's not directly my problem, but we're all affected daily by those possessing less common sense.
That said, the fear is legit at some level. I've had code stolen by a nation state from a "secure" corporate network. I think it's more likely that a modern American professional has had his/her data compromised than not.
In order to download an app from someplace other than Apple you need to turn off Gatekeeper. I'm surprised they got a Gatekeeper warning at all. It was my understanding that once an unsigned third party app has been launched for the first time, it is no longer subject to security screening.
It's right what you wrote. They got either a warning they dismissed or are running dev systems with Gatekeeper (and firewalls?) turned off.
Neither should be done on a system that deploys code for thousands of users.
My point is that Apple should think about making an exception for dev and deployment apps like Xcode.
Regardless if Gatekeeper is turned off the execution should be blocked for the build and submission process.
China's government fingerprints are all over this.
I agree but am afraid the Genie is out of the bottle.
Like any other software, You should be downloading it directly from the SOURCE!!! in this case APPLE!!! Not some 3rd party source where they can do crap like this, or in a case of someplace like download.com where spyware and other crap gets placed in the installer. XCode should always be downloaded from APPLE, and Apple ONLY!!!!
Like any other software, You should be downloading it directly from the SOURCE!!! in this case APPLE!!! Not some 3rd party source where they can do crap like this, or in a case of someplace like download.com where spyware and other crap gets placed in the installer. XCode should always be downloaded from APPLE, and Apple ONLY!!!!
Who are you talking to? Over 80% of smartphone users use Android phones. They don't care where to download.
Like any other software, You should be downloading it directly from the SOURCE!!! in this case APPLE!!! Not some 3rd party source where they can do crap like this, or in a case of someplace like download.com where spyware and other crap gets placed in the installer. XCode should always be downloaded from APPLE, and Apple ONLY!!!!
The hackers also appear to have exploited the tendency for Chinese developers to download Xcode from local servers, since connections to Apple servers can be much slower.
This says it all. These developers need to be banned for life from submitting any iOS apps. I think just about every report of OS X or iOS malware involves bypassing Apple’ security features (i.e. jailbroken iOS devices and OS X Gatekeeper being turned off). There’s only so much any company can do about security if your users are stupid enough to turn off the security protections.
Somebody want to explain to me logically why this is totally Apple’s fault and not the dumb-assed developers who downloaded a compromised Xcode installer from a pirate site. Oh, and 95% of this is happening in China also.
1. Does the bad Xcode always generates the malware regardless of the app produced? or does a dev have to have knowledge of the Xcode compromise to develop the malware
2. Is Apple app vetting using security through obscurity, by making the assumption that the underlying source is legitimate, thus they are not verifying the integrity of the base code. This to me would explain how it became good on apple app store. (We are not talking third party app store here, where it is a high probability of this happening).
3. Had Apple been checking all base code these apps would not have made it through. Apple would have then detected an attempted hack and been able to reject the apps and ask the dev to please download Xcode from apple app store and recompile and resubmit. They would have also been able to further vet the devs. They would also know that Xcode was compromised in some way.
4. Its possible that apple knew about this and let it continue, so that they can track down the source of the exploit.
While in most cases I'd agree, in this specific case I don't. Common sense does not protect you from getting compromised through downloading an app through the AppStore. From my understanding wer are just lucky that the malicious code does not appear to be very harmful.
Yes, but the Apple server for downloading Xcode is NOT. That’s why the Chinese developers were bypassing Apple directly and using the file sharing site instead of going to Apple to get Xcode. Chinese Internet filters and censorship made it very time consuming to get Xcode from Apple so they went instead to the file sharing site and got the modified version containing the malware which in turn automagically inserted the malware into the developer’s app. Then the developer unknowingly submitted the infected app to the App Store. I guess the argument is whether the App Store should have detected the malware before making it available for download. Some say yes, some say no. The usual suspects are always eager to lay it all at Apple’s feet.
The big question no one is concentrating on is how many apps made it to the U.S. and European App Stores? Not very many it would appear. This whole thing is mostly happening in China.