Apple was cleaning up its iOS App Store on Sunday to remove malicious iPhone and iPad programs identified in the first large-scale attack on the mobile software outlet. Apparently the source of the problem was a bogus Xcode development kit that developers downloaded from a Chinese site. Many app and Mac developers use the Apple Xcode tools to develop iOS and OSX applications.
The hackers convinced developers to use its version of the Xcode tools rather than Apple’s official software. One theory is that Apple’s servers are slow to download from inside China, so developers used this alternative mirror download for convenience and speed. This is fairly common for downloading software, but the developers were unaware that the tools were not real.
Cyber-attacks typically target network weaknesses causing organizations to protect themselves with firewalls, DLP, intrusion prevention systems and similar tools, but more recent attacks target weaknesses in the software organizations develop and use. It is difficult to stop malware related attacks after software has been developed. Hackers are realizing that if they can get a developer to embed malicious code into an application, it is easier to carry out an attack. This is very simple if the malicious code is in an app that might be downloaded by millions of users.
The attack on Apple’s iOS App Store by rogue code embedded in apps could have been prevented by using a semantic-based static analysis tool. These cyber-attacks target weaknesses in software and these tools let you virtually eliminate them by detecting all security vulnerabilities in the source code. This would have detected the XcodeGhost malicious program and could have eliminated the vulnerabilities before the developers submitted their apps to the App Store.
Software vulnerabilities in apps are the next frontier of attacks for hackers and anyone intent on stealing information. Stopping the malware and other bugs before the apps are compiled and distributed is the best way to stop these attacks.
Photo credit K?rlis Dambr?ns
