Fake Xcode Download Opens Door To iOS Malware

 
Its all too easy to get blasé about security when you have both obscurity and popular opinion on your side. I've said time and time again that Apple's positioning of its products as being havens of computer security is both disingenuous and dangerous.
 
Today's news that over three hundred apps in the App Store are compromised thanks to a vulnerability far outside of Apple's control shows why.
 
Thanks to slow international internet links in China, developers download the Xcode package which is used to create iOS and OS X apps from unofficial local mirrors. Several of those mirrors have been hosting hacked versions of Xcode, which allow a hacker to extract information from your device when you install an app coded with one.
 
The issue appears to be contained within China (although the 600m users of one of the compromised apps, WeChat might disagree with the use of 'contained') and Apple is busily removing vulnerable apps from the Chinese app store.
 
Of course if Apple wasn't busy telling everybody who will listen that it is invulnerable to attacks perhaps those developers would have been a bit more wary of the provenance of their programming tools.
 
And of course there's a question of why Apple's famously robust approvals process didn't pick the hack up earlier.
 
Most importantly though it's time to accept that no computer system is safe from the efforts of the hacking community and that iOS, by virtue of its affluent but less technically savvy demographic, represents very rich pickings for those who can work their way past Apple's approvals process.

0 comments: