Malicious Apps Compromise Apple’s App Store

Last week, Apples seldom-disrupted App Store was compromised as malicious applications (apps) were discovered in their Chinese App Store––an extremely rare occurrence. Included in the list of apps infected with malware was Chinas very own messaging giant, WeChat.

As TechCrunch mentioned last week, app developers were tricked into downloading a compromised version of Apples Xcode developer toolkit. Xcode is the software provided to app developers by Apple in order to build products for Apples App Store. The malware-infected software, later named XcodeGhost, would allow the unknown attackers to gain access to usersprivate information and login credentials. The video below by CNN Money delves deeper into this story. We should note that while the video brings up the Chinese Government as the possible mastermind of the attack, there is not yet enough information to make the claim. If you would like to learn more about the Chinese Government and their relation to mobile apps, check out our article Protecting Freedom of Speech with Encrypted Messengers.

Affected Apps

In addition to the previously mentioned app giant, WeChat, about 40 applications were said to be affected; however, other outlets have reported more infections, with some counts eclipsing 4000 apps. AppleInsider lists 25 of the most popular apps affected by the counterfeit software XcodeGhost.

 

affected apps

A Negligent Apple?

The obvious question that stems from this incident, which was well covered by ComputerWorld, is whether or not it was negligence on the part of Apple that lead to this compromise of the App Store. According to ComputerWorlds article, Apples mistake is far less important than their response to the flaws that enabled the hack. No company is perfect, and just the fact that their attack has shocked so many speaks to the stellar record Apple has cultivated.

Tentatively shifting some of the responsibility from Apple, ComputerWorld expressed that developers also hold a sizeable portion of the blame as well. Apple will ensure that youre using a published API to [open and write to a file]. It will make sure that your app behaves as expected with regards to that file. But if you choose to put client information into that file without encrypting it, thats really not Apples concern nor should it be, if you ask me. That is business-level security and must be applied by the developer. As of now, were anxiously anticipating Apples response, and their plan to prevent future attacks in the wake of them pulling the infected apps.

About Ryan Jeethan

Ryan Jeethan

Ryan is a recent graduate of the University of Waterloo’s Arts & Business program focusing on UW’s unique Speech Communication program.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s