[HN Gopher] Apple brass discussed disclosing 128M iPhone hack, t... ___________________________________________________________________ Apple brass discussed disclosing 128M iPhone hack, then decided not to Author : throwawaysea Score : 273 points Date : 2021-05-08 17:03 UTC (5 hours ago) (HTM) web link (arstechnica.com) (TXT) w3m dump (arstechnica.com) | iJohnDoe wrote: | Anyone that has been in the industry long enough and has worked | with Apple in any capacity knows that Apple is hostile to their | users and their partners. Apple always does what is in the best | interest of Apple. Everything else is just marketing. | elcomet wrote: | Isn't that the case for every company ? Why would a company do | something in the interest of the consumer if it was not in | their interest ? Competition is what's supposed to take care of | this | osrec wrote: | Well exactly, but they have convinced (brainwashed?) a bunch | of their users that they're really on their side. | | In my experience, Android users are generally not plagued by | this misconception to as great an extent. | adav wrote: | There are a whole lot more Android users. | osrec wrote: | But what's your point? | dpatterbee wrote: | Unfortunately it's possible for competition to not resolve | things to the benefit of the consumer, that's where | regulation typically steps in. I'm not necessarily implying | that that's required in this case, just that things aren't as | simple as competition == consumer wins. | goalieca wrote: | > Apple always does what is in the best interest of Apple. | Everything else is just marketing. | | I don't truly believe Apple is interested in user privacy as a | core value but it is a hell of a differentiator compared to | Google. On this topic, my interests and theirs happen to align | for the time being. | Siira wrote: | You can't win in a duopoly. | kwere wrote: | yeah but with buzz marketing you can catch the fat cutsomer | and avoid antitrust oversee | tmashb wrote: | Approach and hypocrisy matters. Apple did boast about privacy | and security many times before... | [deleted] | temp667 wrote: | Huh? This wasn't an apple hack. This was developers using | counterfeit xcode I believe, and those developers apps were | then hacked using non-genuine development tools. | | The lesson here is that it's probably important to do things | like the non-apple battery warnings etc because the scammers | and hackers will not stop attacking the platform. | Godel_unicode wrote: | Apple knew about a huge compromise of their users devices. | Despite all of their marketing material talking about how | much they value customer security and privacy, they made a | business decision to not notify the affected users. | | The lesson here is that you cannot rely on Apple to act in | your interest if they think doing so will hurt them. Note | that they aren't special here, any other company will | probably act similarly, the difference is that Apple | apologists would have you believe they, ahem, think | differently. | lscotte wrote: | There's a point where the reality distortion field fails. | Jyaif wrote: | > Schiller and the other people receiving the email wanted to | figure out how to shore up its protections in light of their | discovery that the static analyzer Apple used wasn't effective | against the newly discovered method. | | Yes, I totally believe that Apple did not know about NSInvocation | and the half a dozen other ways to dynamically call methods. | kevinh wrote: | The email is linked there and you can read it. Just because one | team at Apple is aware of potential vulnerabilities doesn't | mean that everyone at the company is equally aware. | stephc_int13 wrote: | Top management is responsible, lack of technical competence | or knowledge is not valid defense. | | This is their job to know. | [deleted] | [deleted] | RcouF1uZ4gsC wrote: | > The infections were the result of legitimate developers writing | apps using a counterfeit copy of Xcode, Apple's iOS and OS X app | development tool. The repackaged tool dubbed XcodeGhost | surreptitiously inserted malicious code alongside normal app | functions. | | > XcodeGhost billed itself as faster to download in China, | compared with Xcode available from Apple. For developers to have | run the counterfeit version, they would have had to click through | a warning delivered by Gatekeeper, the macOS security feature | that requires apps to be digitally signed by a known developer. | | Seems like a real world version of the Trusting Trust attack | where the compiler is inserting malicious code. | smbv wrote: | Maybe it's time to reread Reflections on Trusting Trust[0] | | [0] | https://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-tho... | medstrom wrote: | The full Trusting Trust attack would be if you'd use XcodeGhost | to compile Xcode and it actually makes another XcodeGhost that | just looks like Xcode, right? Preferably you do this to the | developer responsible for uploading the compiled Xcode to | central download servers. After a while no one has the real | Xcode anymore, it's been lost to time, but no one knows this. | spitfire wrote: | So a few weeks ago I started an overnight copy of some files to | my APFS encrypted backup disk. I came down in the morning to fine | the filesystem corrupted. | | iBooks won't sync ePub files I add manually. | | <A bunch of other niggles, too many to list> | | Now we find out Apple cares more about its image, than quality. | | I've been wanting to move away from Apple for a while, but this | finalises it. I'll be doing one final upgrade to the ARM chips, | then putting effort into moving away. Including funding projects | if needed. | | This is a _really_ bad look for Apple. It 's clear they're not | worthy of my trust. | stephc_int13 wrote: | Software has never been their forte, unfortunately. | spitfire wrote: | Funny thing it _was_. I consider the current apple to have | started with Jobs at NeXT. From Nextstep through to snow | leopard they were _fantastic_ and getting better every | release. | | Not so much now, they've found a cash cow and seem to be | entranced by it. | robertoandred wrote: | Those are some serious rose-tinted glasses you've got on | there. | uniqueid wrote: | Apple was the gold standard for software for most of the | first 35 years (excepting a few years after 1995) of its | existence. Apple used to hold a reputation for building the | best software in the industry. | | On a side note, sometimes getting older feels like being in a | Twilight Zone episode. Like I woke up and, for some reason | everyone is calling records and 45s 'vinyls'. | | Or I mention 'Cary Grant' and people just stare at me blankly | because his memory has been erased from existence. | | This Apple comment is one of those moments: it feels like | yesterday Apple's talent for software was common knowledge, | and suddenly today I'm in a parallel universe where Apple has | _always_ created buggy garbage. | stephc_int13 wrote: | I am not saying that Apple has always built bad software. | | I am saying that _design_ is their forte and that their | engineering culture is mostly focused around it, software | is built to impress. | | Their products are meant to be the final form, not a tool | to build something else. | | And this has implications for the quality of the code, | fortunately they also inherited a lot from the Unix | culture, but overall I've rarely been impressed by the | quality of their software, and I've sometimes been appalled | by it. | | Itunes, Quicktime or the first iterations of OSX... | uniqueid wrote: | If we're talking about reliability post-2010 I fully | agree with you. Let's just leave it there. I'm pretty | sure I have two threads in my HN comment history | (probably several years old) in which I argued against | the view that iTunes and QTP started out bad. It's just | not a topic I have energy to drone on about more than | once a decade. | | Edit: fwiw https://news.ycombinator.com/item?id=13426813 | jader201 wrote: | What is "Apple brass"? | | I see only one other mention of it in the article (aside from the | title) with zero additional context, and surprised to see zero | occurrences of it here. | | A Google search of "Apple brass" turns up nothing, as well, | besides other references to this article. | | Am I the only one that has never heard this term, and also | curious by its reference in the article's headline? | pygatea wrote: | "Brass" in this context means "leadership." See: | https://idioms.thefreedictionary.com/top+brass | FridayoLeary wrote: | Not a new product. I was inclined for a moment to think it | was ("We will now introduce the all-new Apple Brass!") | dwighttk wrote: | unspecified people in charge at Apple | gpm wrote: | "Brass" is synonymous with "leadership" in this context, it has | a bit of a military connotation, but can be used elsewhere as | well. | jader201 wrote: | TIL. Have never heard of this before. | [deleted] | mdoms wrote: | It's an Americanism referring to their "top brass" which for | whatever reason means their military leadership. Read as "Apple | leadership". | superjan wrote: | The article is about apple failing to detect a huge number of | apps that accidentally contained malware. I would not call this | an iPhone hack though. | pmontra wrote: | Not accidentally. A malicious third party version of XCode | injected the malware into the apps and Apple's vetting system | failed to detect it. Apple eventually discovered it and decided | not to warn its customers. | superjan wrote: | I mean accidental in the sense that the developer was not | acting in bad faith. I don't mean to defend Apple, it just | annoys me that this is advertised as an iPhone hack. | xmprt wrote: | Apple is claiming that their App Store is secure and | rigorous. If developers (maliciously or not) were able to | add code like this to their apps then doesn't that mean | someone was able to hack the App Store verification | process? And if they were, is it not Apple's responsibility | to inform their users that their devices might have | malicious apps? | katbyte wrote: | That it happened is not a valid data point, it should be | compared to other stores and what % are malicious apps. | | Now not disclosing it is on them but at the same time, it | was the apps who were hacked and I can see it falling to | them to disclose? | cj wrote: | Does Apple give app developers an avenue to communicate | security incidents to people downloading free apps if the | app doesn't require signing up with an email address? | | Does that line of communication remain open after the app | is deleted on the device? | gruez wrote: | If this was swapped out for microsoft or google, would it be | fair to call it the windows/android hack? | Dah00n wrote: | If Microsoft in numerous court cases had said the reason | for the walked garden is because it is safe, then yes. But | only Apple says that. This is not comparable to downloading | for Windows but more like downloading malware from the Xbox | or PlayStation store. Apple approved those apps. | treesprite82 wrote: | If a comparable number of Xboxes were compromised through a | game on Microsoft's own Xbox store then I would say that's | an Xbox hack. It'd mean that the malware evaded the Xbox's | security mechanisms (which are implemented at Microsoft's | end when publishing onto the store). | | For non-walled-garden platforms, like most desktop | operating systems, a program being available for download | isn't yet a bypass of any security feature. It'd have to do | something forbidden like privilege escalation for me to | count it as a OSX/Windows/Linux hack. | vbezhenar wrote: | Did they at least disable those apps on affected phones until | upgraded? Or this hack was not dangerous? | djmips wrote: | Probably it's this kind of thinking that allowed for such a | thing to occur. Not all gates were equally secure. | stephc_int13 wrote: | Well, this Epic lawsuit seems to turn into a nightmare on | multiple fronts for the PR guys at Apple... | ksec wrote: | Speaking of PR guys at Apple, I really miss the day when Apple | PR were run by Katie Cotton. The genius in PR and marketing. | | >Well, this Epic lawsuit... | | And this is the issue that no one seems to be getting. Epic | will lose. As a gaming company they never really have a case, I | do admire them to have the courage to go against the largest | cooperation in modern history. But it provide enough materials | for their end goal for other parties, whether that is EU or US | regulators. | wallwarp wrote: | The Dutch East India Trading Company wants to know your | location. ;) | dylan604 wrote: | I guess that depends on your definition of "modern | history". Yes, Apple has a lot of cash, but is their | current top corp based on value mean they are bigger in | influence/effect on people's lives than others in history. | I'm thinking AT&T pre-breakup, Standard Oil, rail roads, | etc. I understand what the point the GP was making. It just | sent me down a tangential bit of thinking. Ugh, and on a | Saturday! | matwood wrote: | Interesting thoughts. I think a lot of this comparing | Apple to the companies you listed is the wrong way to | think about them. | | First, it's not just Apple. The App Store/ecosystem | concept is a newish concept, and probably needs | completely new types of regulation outside of anti-trust. | Apple, Google, MS, Sony, Nintendo, etc... are for the | most part monopolies in their respective worlds, but fail | at the traditional monopoly definition. Waiting for a | company to achieve an AT&T or Standard Oil level level of | power is an outdated way of thinking. Apple also doesn't | have anywhere near that level of power. | stephc_int13 wrote: | Story is not written yet, and I don't trust armchair lawyers | to predict the outcome of something that complex. | scarface74 wrote: | Their only end goal was to get a better outcome for | themselves. It came out in the trial that if they had gotten | the special deal they were seeking, you probably wouldn't | have heard a peep from them. | djmips wrote: | Somehow that seemed obvious to me without the direct | evidence. I have no doubt that if the shoe was on the other | foot, Epic would be super happy to be the gatekeeper taking | in 30%> | MattRix wrote: | No they wouldn't. They already run their own store where | they take 12%. Tim Sweeney has been a vocal supporter of | open platforms/markets for many years. This action is | costing Epic TONS of money. In no way does it make | financial sense whatsoever. If you read the internal Epic | documents from this case, it becomes quite clear that | this is Tim Sweeney's personal crusade against Apple. | tpxl wrote: | > Tim Sweeney has been a vocal supporter of open | platforms/markets for many years. | | If he was, he would be against exclusives, but he pays | handsomely for those. | dtech wrote: | The only reason they do that is because they are trying | to break into Steam's near monopoly market position. They | are not above anti-consumer practices like exclusives. I | have no doubt that if they could, they would take that | 30% cut. | MattRix wrote: | Why would they choose 12% and not 25% or 20% then? Either | of those would be better than Steam. | | Calling exclusives "anti-consumer" is basically nonsense. | Exclusives have been a mainstay of the gaming world for | ages. The actual harm they cause to the consumer is | minimal, no different than first party titles do (like | Valve's own Half-Life, etc). | scarface74 wrote: | Then why did Epic ask for a special deal from Apple? | | Can I use in game currency bought from somewhere else in | FortNite? | edoceo wrote: | > read the internal Epic documents from this case | | how can we do that? | MattRix wrote: | It used to be in a public documents folder on Box. The | link doesn't seem to be working anymore so maybe they | took it down for the weekend (or permanently) https://app | .box.com/s/6b9wmjvr582c95uzma1136exumk6p989/folde... | stephc_int13 wrote: | You are right about their end goal, and this is expected | from a company with shareholders, I think this is part of | the job of a CEO. | | But you don't know if this is their _only_ end goal. | scarface74 wrote: | If they could get a special deal, do you really think | they would take the case to trial, spend the money _and_ | have as much of their dirty laundry become part of the | record? | stephc_int13 wrote: | I don't read in tea leaves, we can only infer their goals | from the PR and what seems to be their best self- | interest. | | Internally this is probably a high-risk high-reward kind | of plan, but this is a wild guess. | scarface74 wrote: | If they had gotten all of the concessions they wanted, | there would have been no reward. | | If they could sell digital goods using their own payment | system within the app like Amazon can with Amazon Video, | what would they gain from this? | | The PR doesn't tell the story like what came out during | court procedures. | dylan604 wrote: | I was actually surprised the went this alone instead of | trying to get other devs involved to seek class action | status. | lupire wrote: | They want a policy change, not a $40 coupon. | gpm wrote: | If they could get a special deal, they probably wouldn't | have standing to take the case to trial, so they | literally couldn't take it to trial. | | I suspect they would still want to. My personal suspicion | about the motivation behind this case is that it's not | really about Epic Game's profit, but Tencent's. Tencent | owns 40% of Epic Games, and owns a lot of companies who | stand to make a lot more money if Apple's forced to open | up the app store. | Dah00n wrote: | Epic might not win against Apple directly but the end result | will likely be exactly the same when the EU are done with | Apple. | Hamuko wrote: | It feels like a PR disaster to everyone involved even if | they're not part of the actual lawsuit. See also: Sony | throwaway77388 wrote: | Another one from 2021. The gist is that the Apple App Store is | hosting multimillion dollar scams: | | https://www.theverge.com/2021/4/21/22385859/apple-app-store-... | | https://www.theverge.com/2021/2/8/22272849/apple-app-store-s... | xmprt wrote: | Especially when one of Apple's main points is that the app | store ensures a secure environment for their users to download | apps. If they ended up verifying this many unsecure apps, then | what's the point? | yepthatsreality wrote: | The idea is to tear down the walls of the garden. In this case | Apple advertises security and quality control as features of | the fees for their required app store. If the garden is not | actually more secure and the quality not actually controlled in | reality than any other garden, then there will be an argument | to allow anyone to start a garden on iOS. | lupire wrote: | Epic wants their own walled garden. They aren't anti-walled | garden. | | Let's not pretend that one greedy billionaire is the good one | here. | temac wrote: | Would an oligopoly (at worst) need to be strictly as bad as | a monopoly though? I don't really care that the fight is | mainly the one of greedy billionaires, as long as it | reduces the prices for consumers. | | Plus Epic does not really proposes the same kind of walls | as Apple do. The worst they can do are exclusive titles on | some typically somehow open platforms (and yep I guess they | would take a deal to have an authorized store on a closed | one, but for now I'm not sure such beasts exist anyway -- | and again, why would it be worse than a monopoly?), they | don't even sell only that, and the people they get | exclusivity from had the choice to do something else anyway | (without renouncing to whole platforms) | Dah00n wrote: | Just like many comments on HN keeps arguing that Apple is | better than Google because of privacy then Epic is the good | guy in this because more walled gardens are better than | only one even if it is still not open. | simion314 wrote: | I remember there are some laws about disclosing breaches. Did | this happened before those laws or the letter of the law does not | apply in this specific case. | | For the anti-regulation guys, please explain how free market | helps in this or similar cases and why a law to demand | transparency for this cases is also evil. (I am still waiting on | other threads an explanation that regulation that only forces | transparency and what is tracked and shared is bad and free | market solves it better) | [deleted] | nemothekid wrote: | I'm not sure the law applies to Apple in this case. It wasn't | Apple that was hacked. Another way of looking at it is if | Facebook was hacked, and the hacker put malicious code into the | Facebook iOS app and Apple notices, it's _Facebook_ that is the | liable party; Apple just noticed. | Dah00n wrote: | Apple controls and approve Appstore apps. If it were in the | app Apple is clearly also a party since they are paid to | approve it. It's only s matter of time before the EU will | smack Apple down. | nemothekid wrote: | I'm not sure how (1) follows (2). How is Apple "clearly" | also a party when they aren't even given the source code to | the app? | pornel wrote: | Apple insists on having editorial and technical control | over apps, but also they take no responsibility for their | decisions and their technology that allowed bad apps. | | It's their platform, their APIs, their sandbox, their | store, their verification, their rules, but when | something goes wrong, it's someone else's fault. That | doesn't seem fair (even though it's legal currently). | pornel wrote: | Apple is in charge when it benefits them, and devs are in | charge when there's a liability. | [deleted] | gpm wrote: | I'm not sure any particular law like that applies to Apple, | but I would actually be somewhat surprised if they didn't. | You bought an Apple device, used it to access Apple's | servers, which pointed you at software hosted on Apple's | servers, which you proceeded to download from Apple's | servers, if it was non-free software you paid Apple for it, | and Apple has final approval over any software that is | actually distributed to consumers. | | Edit: And if you were infected via way of an update, the | update mechanism is Apple's software asked Apple's servers if | there was any updates, and when Apple's servers said yes they | downloaded software from Apple's servers and deployed it on | your phone. | | To argue by analogy, Amazon is responsible for goods they | sell on there store that they don't even distribute | themselves... | https://www.theverge.com/2021/5/1/22414185/california- | appeal... | lupire wrote: | What company had full control over whether the Facebook | software is installed on my phone? | nemothekid wrote: | You? I'm not sure what point you are making. Apple does not | preload apps onto your phone. | simion314 wrote: | Apple/Google restrict what apps are in the Store , they | and their fans will say that the locked store is for | security. | | When Apple/Google review fails (it will never be a | perfect review process), reasonable people would say that | Apple/Google would not only remove the malware from the | store but they would also at least notify the victims. | doikor wrote: | GDPR requires disclosing to the supervisory authority if user | data was breached. Though this hack was before GDPR. | | https://gdpr-info.eu/art-33-gdpr/ | | edit: Also California requires notifying the residents directly | and if over 500 residents were effected also the attorney | general | | https://oag.ca.gov/privacy/databreach/reporting | nickff wrote: | In a situation with less top-down regulation, security-focused | users are more likely to rely on guarantees and audits, perhaps | causing them to select different vendors. | scarmig wrote: | Is the population of security focused users enough to support | an ecosystem of auditing firms? | | Is it enough to even support a neighborhood coffee shop? | mojo982 wrote: | If so few users care about security, why should the | government regulate for that outcome? | | I think theoretically the argument above makes sense, but | in reality it doesn't. The market that exists doesn't | provide a solution because the barrier to entry is | basically infinite. Even Microsoft couldn't offer an | alternative to iOS and Android because Microsoft couldn't | do it alone. It's a natural monopoly problem, which means | normal market arguments don't work. | kdmccormick wrote: | Isn't this the case already (to the extent that each | security-focused user finds it practical)? Would decreasing | top-down regulation somehow make it _easier_ for those users | to select vendors based on their security practices? Or | perhaps, would it increase the number of security-focused | users? | | Help me understand. | nickff wrote: | Top-down regulations often give people a false sense of | security, so they don't bother doing their own research and | 'watching their backs'. Regulations are also generally | 'sticky', so many originators focus on bare minimum | compliance, and there is a dearth of variety. | | Another related problem is that regulations often | inentivize ignorance; the originator is usually better off | not learning about breaches, so they are not as vigilant as | many users think they _should_ be. | lupire wrote: | That means the punishments aren't heavy enough. | simion314 wrote: | If you don't have regulations then you can have a company | putting false labels like "Approved by the National Agency | for Food/Software/Equipment safety", then each user needs to | individually try to research if this agency actual exists, if | the label is correct etc. | | Remember the class action lawsuit that forced Apple and other | companies to admit that the products have a defect and | provide compensation. Without a law and regulation those | people would not have got their fair justice. | | Also I do not see how free markets could prevent some company | selling you bad products, and when the PR is bad enough just | re-branding and start over. Or how free markets can help with | imported products that could be unsafe, you need basic | regulation that impose transparency (who made the product, | what it contains and other related information). | user-the-name wrote: | There is already basically zero regulation in this area. | | Where are all these guarantees and audits and vendors? | Nowhere. Absolutely nowhere. | | This is a completely nonsensical libertarian fantasy. | lawnchair_larry wrote: | The headline is pretty much a lie here. | inetknght wrote: | This only comes to light because of the discovery process during | a lawsuit. | | Where's the regulations to protect consumers? | | Oh right, the US regulators _don 't_ protect consumers. At all. | Even though that's what they're _supposed_ to do. | xucheng wrote: | If I remembered correctly, this incident was actually widely | reported in China when it broke out. It was cause by many iOS | developers in China chose to download a counterfeit version of | Xcode because the network connection from China to any foreign | servers are so bad. | | Though, it is true that Apple never disclosed the full list of | compromised Apps or how many users are affected. Also, I am not | sure that sending Emails to affected users would be effective. | Most of affected users come from China, and a significant portion | of them use phone number instead of Email to register App Store | account. | moralestapia wrote: | Oh, the stuff that's coming out of this lawsuit is gold. | dylan604 wrote: | Knowing that court cases are usually an airing of everyone's | dirty laundry, I kind of wish the FBI did not drop their case | against Apple. | spaetzleesser wrote: | It seems once you are sufficiently big and rich a lot things that | are required for smaller players become optional. | CyberRabbi wrote: | When it comes to insecurity of your mobile device, this is just | the tip of the iceberg. | gruez wrote: | >insecurity | | How? This is a simple case of "code execution results in code | execution". iOS is already sandboxed, so the impact was | limited. I'm not sure what you'd expect apple to do, other than | have some sort of system that can detect arbitrary malicious | code. | CyberRabbi wrote: | Check the liner notes of your monthly OS updates for sandbox | escape and RCE fixes and you'll understand the prevalence of | the problem I'm trying to describe. Couple that with the fact | that mobile OS software configurations are relatively highly | standardized and very sensitive and valuable personal | information is usually stored on mobile devices. | harikb wrote: | Wait, why is this Apple's fault? | | > The infections were the result of legitimate developers writing | apps using a counterfeit copy of Xcode, Apple's iOS and OS X app | development tool. The repackaged tool dubbed XcodeGhost | surreptitiously inserted malicious code alongside normal app | functions. | | This was shown by Ken Thompson is 1984 I thought [1] | | 1. http://wiki.c2.com/?TheKenThompsonHack | Siira wrote: | Why was there a counterfeit Xcode in the first place? Reminds | me of how hard it is to download Xcode with the crappy App | Store when not having the connection Apple engineers enjoy ... | katbyte wrote: | Because "it downloaded faster in China" apparently? | lazide wrote: | Besides it maybe not being Apple's fault (except for not | telling anyone) - it is maybe Apple's fault because they | explicitly state they are reviewing apps, and did not catch | this issue. So they obviously have a huge blind spot and their | customers were impacted because of it. Considering the scope | and scale of the App Store and the massive revenues from it, it | is also pretty hard to believe some better scanning or analysis | software wouldn't have caught this pre-emptively? | | Since I remember the 'Apple was not doing true binary level | review' coming up when I talked to an iOS developer literally a | decade ago about the App Store (back in Android 1.1 SDK days) - | he even mentioned this type of attack as a possibility - and | they obviously haven't changed that, there are probably a ton | more like this out there that have slipped under the radar due | to smaller scope, or less clear impact. | harikb wrote: | Short of Apple proxying and reviewing every byte sent out by | an app, I just don't see how this level of review is | possible. It is like detecting virus or malware. Whether | apple should have boasted about their review process or not | is another matter. | | There is no technology we have today, whether it is mobile, | server side, Linux kernel or whatever that accepts random | code from strangers (that is what you doing with pirated s/w) | and detects intentionally written malicious code. | josephcsible wrote: | The breach wasn't Apple's fault, but the cover-up is. | [deleted] | onedognight wrote: | According to the article from Apple[0], WeChat 6.2.6 and DiDi | Taxi 4.1.0, among many others, were affected. | | [0] | https://web.archive.org/web/20151101142446/http://www.apple.... | IkmoIkmo wrote: | The following was posted on Macrumors. Definitely not a perfect | user-first response from Apple, but didn't seem terrible either. | Particularly because Apple wasn't the source of the issue, the | issue was people downloading an unofficial XCode tool not made or | hosted by Apple. Apple discovered it (just like many researchers | did) and made various (non-perfect) efforts to mitigate it. And | according to Macrumors, the attack did not really lead to any | serious consequences. Not sure if that's true but I haven't seen | any evidence to the contrary either. | | > Apple did ultimately inform users that downloaded XcodeGhost | apps, and also published a list of the top 25 most popular apps | that were compromised. Apple removed all of the infected apps | from the App Store , and provided information to developers to | help them validate Xcode going forward. | | > XcodeGhost was a widespread attack, but it was not effective or | dangerous. At the time, Apple said that it had no information to | suggest that the malware was ever used for any malicious purpose | nor that sensitive personal data was stolen, but it did collect | app bundle identifiers, network details, and device names and | types. | egberts1 wrote: | ya think Mac could have a poor hash tag matching for security | of its executables, such as Xcode? | londons_explore wrote: | > Apple said that it had no information to suggest that the | malware was ever used | | So in other words, it was used only on a few high value | targets, rather than being used to serve up ads to all 128M | users. | | Still not much better... ___________________________________________________________________ (page generated 2021-05-08 23:00 UTC)