[HN Gopher] Apple brass discussed disclosing 128M iPhone hack, t...
___________________________________________________________________
Apple brass discussed disclosing 128M iPhone hack, then decided not
to
Author : throwawaysea
Score : 273 points
Date : 2021-05-08 17:03 UTC (5 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| iJohnDoe wrote:
| Anyone that has been in the industry long enough and has worked
| with Apple in any capacity knows that Apple is hostile to their
| users and their partners. Apple always does what is in the best
| interest of Apple. Everything else is just marketing.
| elcomet wrote:
| Isn't that the case for every company ? Why would a company do
| something in the interest of the consumer if it was not in
| their interest ? Competition is what's supposed to take care of
| this
| osrec wrote:
| Well exactly, but they have convinced (brainwashed?) a bunch
| of their users that they're really on their side.
|
| In my experience, Android users are generally not plagued by
| this misconception to as great an extent.
| adav wrote:
| There are a whole lot more Android users.
| osrec wrote:
| But what's your point?
| dpatterbee wrote:
| Unfortunately it's possible for competition to not resolve
| things to the benefit of the consumer, that's where
| regulation typically steps in. I'm not necessarily implying
| that that's required in this case, just that things aren't as
| simple as competition == consumer wins.
| goalieca wrote:
| > Apple always does what is in the best interest of Apple.
| Everything else is just marketing.
|
| I don't truly believe Apple is interested in user privacy as a
| core value but it is a hell of a differentiator compared to
| Google. On this topic, my interests and theirs happen to align
| for the time being.
| Siira wrote:
| You can't win in a duopoly.
| kwere wrote:
| yeah but with buzz marketing you can catch the fat cutsomer
| and avoid antitrust oversee
| tmashb wrote:
| Approach and hypocrisy matters. Apple did boast about privacy
| and security many times before...
| [deleted]
| temp667 wrote:
| Huh? This wasn't an apple hack. This was developers using
| counterfeit xcode I believe, and those developers apps were
| then hacked using non-genuine development tools.
|
| The lesson here is that it's probably important to do things
| like the non-apple battery warnings etc because the scammers
| and hackers will not stop attacking the platform.
| Godel_unicode wrote:
| Apple knew about a huge compromise of their users devices.
| Despite all of their marketing material talking about how
| much they value customer security and privacy, they made a
| business decision to not notify the affected users.
|
| The lesson here is that you cannot rely on Apple to act in
| your interest if they think doing so will hurt them. Note
| that they aren't special here, any other company will
| probably act similarly, the difference is that Apple
| apologists would have you believe they, ahem, think
| differently.
| lscotte wrote:
| There's a point where the reality distortion field fails.
| Jyaif wrote:
| > Schiller and the other people receiving the email wanted to
| figure out how to shore up its protections in light of their
| discovery that the static analyzer Apple used wasn't effective
| against the newly discovered method.
|
| Yes, I totally believe that Apple did not know about NSInvocation
| and the half a dozen other ways to dynamically call methods.
| kevinh wrote:
| The email is linked there and you can read it. Just because one
| team at Apple is aware of potential vulnerabilities doesn't
| mean that everyone at the company is equally aware.
| stephc_int13 wrote:
| Top management is responsible, lack of technical competence
| or knowledge is not valid defense.
|
| This is their job to know.
| [deleted]
| [deleted]
| RcouF1uZ4gsC wrote:
| > The infections were the result of legitimate developers writing
| apps using a counterfeit copy of Xcode, Apple's iOS and OS X app
| development tool. The repackaged tool dubbed XcodeGhost
| surreptitiously inserted malicious code alongside normal app
| functions.
|
| > XcodeGhost billed itself as faster to download in China,
| compared with Xcode available from Apple. For developers to have
| run the counterfeit version, they would have had to click through
| a warning delivered by Gatekeeper, the macOS security feature
| that requires apps to be digitally signed by a known developer.
|
| Seems like a real world version of the Trusting Trust attack
| where the compiler is inserting malicious code.
| smbv wrote:
| Maybe it's time to reread Reflections on Trusting Trust[0]
|
| [0]
| https://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-tho...
| medstrom wrote:
| The full Trusting Trust attack would be if you'd use XcodeGhost
| to compile Xcode and it actually makes another XcodeGhost that
| just looks like Xcode, right? Preferably you do this to the
| developer responsible for uploading the compiled Xcode to
| central download servers. After a while no one has the real
| Xcode anymore, it's been lost to time, but no one knows this.
| spitfire wrote:
| So a few weeks ago I started an overnight copy of some files to
| my APFS encrypted backup disk. I came down in the morning to fine
| the filesystem corrupted.
|
| iBooks won't sync ePub files I add manually.
|
| <A bunch of other niggles, too many to list>
|
| Now we find out Apple cares more about its image, than quality.
|
| I've been wanting to move away from Apple for a while, but this
| finalises it. I'll be doing one final upgrade to the ARM chips,
| then putting effort into moving away. Including funding projects
| if needed.
|
| This is a _really_ bad look for Apple. It 's clear they're not
| worthy of my trust.
| stephc_int13 wrote:
| Software has never been their forte, unfortunately.
| spitfire wrote:
| Funny thing it _was_. I consider the current apple to have
| started with Jobs at NeXT. From Nextstep through to snow
| leopard they were _fantastic_ and getting better every
| release.
|
| Not so much now, they've found a cash cow and seem to be
| entranced by it.
| robertoandred wrote:
| Those are some serious rose-tinted glasses you've got on
| there.
| uniqueid wrote:
| Apple was the gold standard for software for most of the
| first 35 years (excepting a few years after 1995) of its
| existence. Apple used to hold a reputation for building the
| best software in the industry.
|
| On a side note, sometimes getting older feels like being in a
| Twilight Zone episode. Like I woke up and, for some reason
| everyone is calling records and 45s 'vinyls'.
|
| Or I mention 'Cary Grant' and people just stare at me blankly
| because his memory has been erased from existence.
|
| This Apple comment is one of those moments: it feels like
| yesterday Apple's talent for software was common knowledge,
| and suddenly today I'm in a parallel universe where Apple has
| _always_ created buggy garbage.
| stephc_int13 wrote:
| I am not saying that Apple has always built bad software.
|
| I am saying that _design_ is their forte and that their
| engineering culture is mostly focused around it, software
| is built to impress.
|
| Their products are meant to be the final form, not a tool
| to build something else.
|
| And this has implications for the quality of the code,
| fortunately they also inherited a lot from the Unix
| culture, but overall I've rarely been impressed by the
| quality of their software, and I've sometimes been appalled
| by it.
|
| Itunes, Quicktime or the first iterations of OSX...
| uniqueid wrote:
| If we're talking about reliability post-2010 I fully
| agree with you. Let's just leave it there. I'm pretty
| sure I have two threads in my HN comment history
| (probably several years old) in which I argued against
| the view that iTunes and QTP started out bad. It's just
| not a topic I have energy to drone on about more than
| once a decade.
|
| Edit: fwiw https://news.ycombinator.com/item?id=13426813
| jader201 wrote:
| What is "Apple brass"?
|
| I see only one other mention of it in the article (aside from the
| title) with zero additional context, and surprised to see zero
| occurrences of it here.
|
| A Google search of "Apple brass" turns up nothing, as well,
| besides other references to this article.
|
| Am I the only one that has never heard this term, and also
| curious by its reference in the article's headline?
| pygatea wrote:
| "Brass" in this context means "leadership." See:
| https://idioms.thefreedictionary.com/top+brass
| FridayoLeary wrote:
| Not a new product. I was inclined for a moment to think it
| was ("We will now introduce the all-new Apple Brass!")
| dwighttk wrote:
| unspecified people in charge at Apple
| gpm wrote:
| "Brass" is synonymous with "leadership" in this context, it has
| a bit of a military connotation, but can be used elsewhere as
| well.
| jader201 wrote:
| TIL. Have never heard of this before.
| [deleted]
| mdoms wrote:
| It's an Americanism referring to their "top brass" which for
| whatever reason means their military leadership. Read as "Apple
| leadership".
| superjan wrote:
| The article is about apple failing to detect a huge number of
| apps that accidentally contained malware. I would not call this
| an iPhone hack though.
| pmontra wrote:
| Not accidentally. A malicious third party version of XCode
| injected the malware into the apps and Apple's vetting system
| failed to detect it. Apple eventually discovered it and decided
| not to warn its customers.
| superjan wrote:
| I mean accidental in the sense that the developer was not
| acting in bad faith. I don't mean to defend Apple, it just
| annoys me that this is advertised as an iPhone hack.
| xmprt wrote:
| Apple is claiming that their App Store is secure and
| rigorous. If developers (maliciously or not) were able to
| add code like this to their apps then doesn't that mean
| someone was able to hack the App Store verification
| process? And if they were, is it not Apple's responsibility
| to inform their users that their devices might have
| malicious apps?
| katbyte wrote:
| That it happened is not a valid data point, it should be
| compared to other stores and what % are malicious apps.
|
| Now not disclosing it is on them but at the same time, it
| was the apps who were hacked and I can see it falling to
| them to disclose?
| cj wrote:
| Does Apple give app developers an avenue to communicate
| security incidents to people downloading free apps if the
| app doesn't require signing up with an email address?
|
| Does that line of communication remain open after the app
| is deleted on the device?
| gruez wrote:
| If this was swapped out for microsoft or google, would it be
| fair to call it the windows/android hack?
| Dah00n wrote:
| If Microsoft in numerous court cases had said the reason
| for the walked garden is because it is safe, then yes. But
| only Apple says that. This is not comparable to downloading
| for Windows but more like downloading malware from the Xbox
| or PlayStation store. Apple approved those apps.
| treesprite82 wrote:
| If a comparable number of Xboxes were compromised through a
| game on Microsoft's own Xbox store then I would say that's
| an Xbox hack. It'd mean that the malware evaded the Xbox's
| security mechanisms (which are implemented at Microsoft's
| end when publishing onto the store).
|
| For non-walled-garden platforms, like most desktop
| operating systems, a program being available for download
| isn't yet a bypass of any security feature. It'd have to do
| something forbidden like privilege escalation for me to
| count it as a OSX/Windows/Linux hack.
| vbezhenar wrote:
| Did they at least disable those apps on affected phones until
| upgraded? Or this hack was not dangerous?
| djmips wrote:
| Probably it's this kind of thinking that allowed for such a
| thing to occur. Not all gates were equally secure.
| stephc_int13 wrote:
| Well, this Epic lawsuit seems to turn into a nightmare on
| multiple fronts for the PR guys at Apple...
| ksec wrote:
| Speaking of PR guys at Apple, I really miss the day when Apple
| PR were run by Katie Cotton. The genius in PR and marketing.
|
| >Well, this Epic lawsuit...
|
| And this is the issue that no one seems to be getting. Epic
| will lose. As a gaming company they never really have a case, I
| do admire them to have the courage to go against the largest
| cooperation in modern history. But it provide enough materials
| for their end goal for other parties, whether that is EU or US
| regulators.
| wallwarp wrote:
| The Dutch East India Trading Company wants to know your
| location. ;)
| dylan604 wrote:
| I guess that depends on your definition of "modern
| history". Yes, Apple has a lot of cash, but is their
| current top corp based on value mean they are bigger in
| influence/effect on people's lives than others in history.
| I'm thinking AT&T pre-breakup, Standard Oil, rail roads,
| etc. I understand what the point the GP was making. It just
| sent me down a tangential bit of thinking. Ugh, and on a
| Saturday!
| matwood wrote:
| Interesting thoughts. I think a lot of this comparing
| Apple to the companies you listed is the wrong way to
| think about them.
|
| First, it's not just Apple. The App Store/ecosystem
| concept is a newish concept, and probably needs
| completely new types of regulation outside of anti-trust.
| Apple, Google, MS, Sony, Nintendo, etc... are for the
| most part monopolies in their respective worlds, but fail
| at the traditional monopoly definition. Waiting for a
| company to achieve an AT&T or Standard Oil level level of
| power is an outdated way of thinking. Apple also doesn't
| have anywhere near that level of power.
| stephc_int13 wrote:
| Story is not written yet, and I don't trust armchair lawyers
| to predict the outcome of something that complex.
| scarface74 wrote:
| Their only end goal was to get a better outcome for
| themselves. It came out in the trial that if they had gotten
| the special deal they were seeking, you probably wouldn't
| have heard a peep from them.
| djmips wrote:
| Somehow that seemed obvious to me without the direct
| evidence. I have no doubt that if the shoe was on the other
| foot, Epic would be super happy to be the gatekeeper taking
| in 30%>
| MattRix wrote:
| No they wouldn't. They already run their own store where
| they take 12%. Tim Sweeney has been a vocal supporter of
| open platforms/markets for many years. This action is
| costing Epic TONS of money. In no way does it make
| financial sense whatsoever. If you read the internal Epic
| documents from this case, it becomes quite clear that
| this is Tim Sweeney's personal crusade against Apple.
| tpxl wrote:
| > Tim Sweeney has been a vocal supporter of open
| platforms/markets for many years.
|
| If he was, he would be against exclusives, but he pays
| handsomely for those.
| dtech wrote:
| The only reason they do that is because they are trying
| to break into Steam's near monopoly market position. They
| are not above anti-consumer practices like exclusives. I
| have no doubt that if they could, they would take that
| 30% cut.
| MattRix wrote:
| Why would they choose 12% and not 25% or 20% then? Either
| of those would be better than Steam.
|
| Calling exclusives "anti-consumer" is basically nonsense.
| Exclusives have been a mainstay of the gaming world for
| ages. The actual harm they cause to the consumer is
| minimal, no different than first party titles do (like
| Valve's own Half-Life, etc).
| scarface74 wrote:
| Then why did Epic ask for a special deal from Apple?
|
| Can I use in game currency bought from somewhere else in
| FortNite?
| edoceo wrote:
| > read the internal Epic documents from this case
|
| how can we do that?
| MattRix wrote:
| It used to be in a public documents folder on Box. The
| link doesn't seem to be working anymore so maybe they
| took it down for the weekend (or permanently) https://app
| .box.com/s/6b9wmjvr582c95uzma1136exumk6p989/folde...
| stephc_int13 wrote:
| You are right about their end goal, and this is expected
| from a company with shareholders, I think this is part of
| the job of a CEO.
|
| But you don't know if this is their _only_ end goal.
| scarface74 wrote:
| If they could get a special deal, do you really think
| they would take the case to trial, spend the money _and_
| have as much of their dirty laundry become part of the
| record?
| stephc_int13 wrote:
| I don't read in tea leaves, we can only infer their goals
| from the PR and what seems to be their best self-
| interest.
|
| Internally this is probably a high-risk high-reward kind
| of plan, but this is a wild guess.
| scarface74 wrote:
| If they had gotten all of the concessions they wanted,
| there would have been no reward.
|
| If they could sell digital goods using their own payment
| system within the app like Amazon can with Amazon Video,
| what would they gain from this?
|
| The PR doesn't tell the story like what came out during
| court procedures.
| dylan604 wrote:
| I was actually surprised the went this alone instead of
| trying to get other devs involved to seek class action
| status.
| lupire wrote:
| They want a policy change, not a $40 coupon.
| gpm wrote:
| If they could get a special deal, they probably wouldn't
| have standing to take the case to trial, so they
| literally couldn't take it to trial.
|
| I suspect they would still want to. My personal suspicion
| about the motivation behind this case is that it's not
| really about Epic Game's profit, but Tencent's. Tencent
| owns 40% of Epic Games, and owns a lot of companies who
| stand to make a lot more money if Apple's forced to open
| up the app store.
| Dah00n wrote:
| Epic might not win against Apple directly but the end result
| will likely be exactly the same when the EU are done with
| Apple.
| Hamuko wrote:
| It feels like a PR disaster to everyone involved even if
| they're not part of the actual lawsuit. See also: Sony
| throwaway77388 wrote:
| Another one from 2021. The gist is that the Apple App Store is
| hosting multimillion dollar scams:
|
| https://www.theverge.com/2021/4/21/22385859/apple-app-store-...
|
| https://www.theverge.com/2021/2/8/22272849/apple-app-store-s...
| xmprt wrote:
| Especially when one of Apple's main points is that the app
| store ensures a secure environment for their users to download
| apps. If they ended up verifying this many unsecure apps, then
| what's the point?
| yepthatsreality wrote:
| The idea is to tear down the walls of the garden. In this case
| Apple advertises security and quality control as features of
| the fees for their required app store. If the garden is not
| actually more secure and the quality not actually controlled in
| reality than any other garden, then there will be an argument
| to allow anyone to start a garden on iOS.
| lupire wrote:
| Epic wants their own walled garden. They aren't anti-walled
| garden.
|
| Let's not pretend that one greedy billionaire is the good one
| here.
| temac wrote:
| Would an oligopoly (at worst) need to be strictly as bad as
| a monopoly though? I don't really care that the fight is
| mainly the one of greedy billionaires, as long as it
| reduces the prices for consumers.
|
| Plus Epic does not really proposes the same kind of walls
| as Apple do. The worst they can do are exclusive titles on
| some typically somehow open platforms (and yep I guess they
| would take a deal to have an authorized store on a closed
| one, but for now I'm not sure such beasts exist anyway --
| and again, why would it be worse than a monopoly?), they
| don't even sell only that, and the people they get
| exclusivity from had the choice to do something else anyway
| (without renouncing to whole platforms)
| Dah00n wrote:
| Just like many comments on HN keeps arguing that Apple is
| better than Google because of privacy then Epic is the good
| guy in this because more walled gardens are better than
| only one even if it is still not open.
| simion314 wrote:
| I remember there are some laws about disclosing breaches. Did
| this happened before those laws or the letter of the law does not
| apply in this specific case.
|
| For the anti-regulation guys, please explain how free market
| helps in this or similar cases and why a law to demand
| transparency for this cases is also evil. (I am still waiting on
| other threads an explanation that regulation that only forces
| transparency and what is tracked and shared is bad and free
| market solves it better)
| [deleted]
| nemothekid wrote:
| I'm not sure the law applies to Apple in this case. It wasn't
| Apple that was hacked. Another way of looking at it is if
| Facebook was hacked, and the hacker put malicious code into the
| Facebook iOS app and Apple notices, it's _Facebook_ that is the
| liable party; Apple just noticed.
| Dah00n wrote:
| Apple controls and approve Appstore apps. If it were in the
| app Apple is clearly also a party since they are paid to
| approve it. It's only s matter of time before the EU will
| smack Apple down.
| nemothekid wrote:
| I'm not sure how (1) follows (2). How is Apple "clearly"
| also a party when they aren't even given the source code to
| the app?
| pornel wrote:
| Apple insists on having editorial and technical control
| over apps, but also they take no responsibility for their
| decisions and their technology that allowed bad apps.
|
| It's their platform, their APIs, their sandbox, their
| store, their verification, their rules, but when
| something goes wrong, it's someone else's fault. That
| doesn't seem fair (even though it's legal currently).
| pornel wrote:
| Apple is in charge when it benefits them, and devs are in
| charge when there's a liability.
| [deleted]
| gpm wrote:
| I'm not sure any particular law like that applies to Apple,
| but I would actually be somewhat surprised if they didn't.
| You bought an Apple device, used it to access Apple's
| servers, which pointed you at software hosted on Apple's
| servers, which you proceeded to download from Apple's
| servers, if it was non-free software you paid Apple for it,
| and Apple has final approval over any software that is
| actually distributed to consumers.
|
| Edit: And if you were infected via way of an update, the
| update mechanism is Apple's software asked Apple's servers if
| there was any updates, and when Apple's servers said yes they
| downloaded software from Apple's servers and deployed it on
| your phone.
|
| To argue by analogy, Amazon is responsible for goods they
| sell on there store that they don't even distribute
| themselves...
| https://www.theverge.com/2021/5/1/22414185/california-
| appeal...
| lupire wrote:
| What company had full control over whether the Facebook
| software is installed on my phone?
| nemothekid wrote:
| You? I'm not sure what point you are making. Apple does not
| preload apps onto your phone.
| simion314 wrote:
| Apple/Google restrict what apps are in the Store , they
| and their fans will say that the locked store is for
| security.
|
| When Apple/Google review fails (it will never be a
| perfect review process), reasonable people would say that
| Apple/Google would not only remove the malware from the
| store but they would also at least notify the victims.
| doikor wrote:
| GDPR requires disclosing to the supervisory authority if user
| data was breached. Though this hack was before GDPR.
|
| https://gdpr-info.eu/art-33-gdpr/
|
| edit: Also California requires notifying the residents directly
| and if over 500 residents were effected also the attorney
| general
|
| https://oag.ca.gov/privacy/databreach/reporting
| nickff wrote:
| In a situation with less top-down regulation, security-focused
| users are more likely to rely on guarantees and audits, perhaps
| causing them to select different vendors.
| scarmig wrote:
| Is the population of security focused users enough to support
| an ecosystem of auditing firms?
|
| Is it enough to even support a neighborhood coffee shop?
| mojo982 wrote:
| If so few users care about security, why should the
| government regulate for that outcome?
|
| I think theoretically the argument above makes sense, but
| in reality it doesn't. The market that exists doesn't
| provide a solution because the barrier to entry is
| basically infinite. Even Microsoft couldn't offer an
| alternative to iOS and Android because Microsoft couldn't
| do it alone. It's a natural monopoly problem, which means
| normal market arguments don't work.
| kdmccormick wrote:
| Isn't this the case already (to the extent that each
| security-focused user finds it practical)? Would decreasing
| top-down regulation somehow make it _easier_ for those users
| to select vendors based on their security practices? Or
| perhaps, would it increase the number of security-focused
| users?
|
| Help me understand.
| nickff wrote:
| Top-down regulations often give people a false sense of
| security, so they don't bother doing their own research and
| 'watching their backs'. Regulations are also generally
| 'sticky', so many originators focus on bare minimum
| compliance, and there is a dearth of variety.
|
| Another related problem is that regulations often
| inentivize ignorance; the originator is usually better off
| not learning about breaches, so they are not as vigilant as
| many users think they _should_ be.
| lupire wrote:
| That means the punishments aren't heavy enough.
| simion314 wrote:
| If you don't have regulations then you can have a company
| putting false labels like "Approved by the National Agency
| for Food/Software/Equipment safety", then each user needs to
| individually try to research if this agency actual exists, if
| the label is correct etc.
|
| Remember the class action lawsuit that forced Apple and other
| companies to admit that the products have a defect and
| provide compensation. Without a law and regulation those
| people would not have got their fair justice.
|
| Also I do not see how free markets could prevent some company
| selling you bad products, and when the PR is bad enough just
| re-branding and start over. Or how free markets can help with
| imported products that could be unsafe, you need basic
| regulation that impose transparency (who made the product,
| what it contains and other related information).
| user-the-name wrote:
| There is already basically zero regulation in this area.
|
| Where are all these guarantees and audits and vendors?
| Nowhere. Absolutely nowhere.
|
| This is a completely nonsensical libertarian fantasy.
| lawnchair_larry wrote:
| The headline is pretty much a lie here.
| inetknght wrote:
| This only comes to light because of the discovery process during
| a lawsuit.
|
| Where's the regulations to protect consumers?
|
| Oh right, the US regulators _don 't_ protect consumers. At all.
| Even though that's what they're _supposed_ to do.
| xucheng wrote:
| If I remembered correctly, this incident was actually widely
| reported in China when it broke out. It was cause by many iOS
| developers in China chose to download a counterfeit version of
| Xcode because the network connection from China to any foreign
| servers are so bad.
|
| Though, it is true that Apple never disclosed the full list of
| compromised Apps or how many users are affected. Also, I am not
| sure that sending Emails to affected users would be effective.
| Most of affected users come from China, and a significant portion
| of them use phone number instead of Email to register App Store
| account.
| moralestapia wrote:
| Oh, the stuff that's coming out of this lawsuit is gold.
| dylan604 wrote:
| Knowing that court cases are usually an airing of everyone's
| dirty laundry, I kind of wish the FBI did not drop their case
| against Apple.
| spaetzleesser wrote:
| It seems once you are sufficiently big and rich a lot things that
| are required for smaller players become optional.
| CyberRabbi wrote:
| When it comes to insecurity of your mobile device, this is just
| the tip of the iceberg.
| gruez wrote:
| >insecurity
|
| How? This is a simple case of "code execution results in code
| execution". iOS is already sandboxed, so the impact was
| limited. I'm not sure what you'd expect apple to do, other than
| have some sort of system that can detect arbitrary malicious
| code.
| CyberRabbi wrote:
| Check the liner notes of your monthly OS updates for sandbox
| escape and RCE fixes and you'll understand the prevalence of
| the problem I'm trying to describe. Couple that with the fact
| that mobile OS software configurations are relatively highly
| standardized and very sensitive and valuable personal
| information is usually stored on mobile devices.
| harikb wrote:
| Wait, why is this Apple's fault?
|
| > The infections were the result of legitimate developers writing
| apps using a counterfeit copy of Xcode, Apple's iOS and OS X app
| development tool. The repackaged tool dubbed XcodeGhost
| surreptitiously inserted malicious code alongside normal app
| functions.
|
| This was shown by Ken Thompson is 1984 I thought [1]
|
| 1. http://wiki.c2.com/?TheKenThompsonHack
| Siira wrote:
| Why was there a counterfeit Xcode in the first place? Reminds
| me of how hard it is to download Xcode with the crappy App
| Store when not having the connection Apple engineers enjoy ...
| katbyte wrote:
| Because "it downloaded faster in China" apparently?
| lazide wrote:
| Besides it maybe not being Apple's fault (except for not
| telling anyone) - it is maybe Apple's fault because they
| explicitly state they are reviewing apps, and did not catch
| this issue. So they obviously have a huge blind spot and their
| customers were impacted because of it. Considering the scope
| and scale of the App Store and the massive revenues from it, it
| is also pretty hard to believe some better scanning or analysis
| software wouldn't have caught this pre-emptively?
|
| Since I remember the 'Apple was not doing true binary level
| review' coming up when I talked to an iOS developer literally a
| decade ago about the App Store (back in Android 1.1 SDK days) -
| he even mentioned this type of attack as a possibility - and
| they obviously haven't changed that, there are probably a ton
| more like this out there that have slipped under the radar due
| to smaller scope, or less clear impact.
| harikb wrote:
| Short of Apple proxying and reviewing every byte sent out by
| an app, I just don't see how this level of review is
| possible. It is like detecting virus or malware. Whether
| apple should have boasted about their review process or not
| is another matter.
|
| There is no technology we have today, whether it is mobile,
| server side, Linux kernel or whatever that accepts random
| code from strangers (that is what you doing with pirated s/w)
| and detects intentionally written malicious code.
| josephcsible wrote:
| The breach wasn't Apple's fault, but the cover-up is.
| [deleted]
| onedognight wrote:
| According to the article from Apple[0], WeChat 6.2.6 and DiDi
| Taxi 4.1.0, among many others, were affected.
|
| [0]
| https://web.archive.org/web/20151101142446/http://www.apple....
| IkmoIkmo wrote:
| The following was posted on Macrumors. Definitely not a perfect
| user-first response from Apple, but didn't seem terrible either.
| Particularly because Apple wasn't the source of the issue, the
| issue was people downloading an unofficial XCode tool not made or
| hosted by Apple. Apple discovered it (just like many researchers
| did) and made various (non-perfect) efforts to mitigate it. And
| according to Macrumors, the attack did not really lead to any
| serious consequences. Not sure if that's true but I haven't seen
| any evidence to the contrary either.
|
| > Apple did ultimately inform users that downloaded XcodeGhost
| apps, and also published a list of the top 25 most popular apps
| that were compromised. Apple removed all of the infected apps
| from the App Store , and provided information to developers to
| help them validate Xcode going forward.
|
| > XcodeGhost was a widespread attack, but it was not effective or
| dangerous. At the time, Apple said that it had no information to
| suggest that the malware was ever used for any malicious purpose
| nor that sensitive personal data was stolen, but it did collect
| app bundle identifiers, network details, and device names and
| types.
| egberts1 wrote:
| ya think Mac could have a poor hash tag matching for security
| of its executables, such as Xcode?
| londons_explore wrote:
| > Apple said that it had no information to suggest that the
| malware was ever used
|
| So in other words, it was used only on a few high value
| targets, rather than being used to serve up ads to all 128M
| users.
|
| Still not much better...
___________________________________________________________________
(page generated 2021-05-08 23:00 UTC)