You’ve probably read in the news that up to 300 apps, made by developers in China, including popular apps like WeChat and Angry Birds 2 had managed to get through Apple’s approval process with malware installed. This all happened because the developers behind the apps downloaded a version of Xcode from a non-Apple website.
Xcode is provided to developers free-of-charge from Apple, so why any developer in the world would download a version of the software from anywhere other than Apple’s website beggars belief. Allegedly, the developers downloaded the infected ‘XcodeGhost’ as it was faster to download from the site in question, than Apple’s official website.
As the apps infected were largely popular iOS apps, it’s possible that the software was downloaded by a single person at each of the companies involved and stored on a internal server for others to download. This is a common practice within companies where it can be quicker to store software on a local server, rather than encourage every employee to download it from the web.
It would seem that the attack is largely the result of offshore Chinese software houses that were using the compromised version of Xcode. Companies may have used these houses to bring down the cost of development.
Whilst on the surface, this appears to be an issue, the damage that can be done is still relatively limited as the malware can’t read any sensitive data and the issue has been resolved.
If you consider the number of times hackers will have tried to infiltrate the App Store or iOS devices, this demonstrates how much of a safe haven it is. The amount of effort that will have gone into this, the reward for the hackers won’t make it attractive to repeat.
In terms of the possible damage, it appears that in this case, it’s minimal. Apps are sandboxed so even if an app is infected, it will only affect that app and in this case, it was only non-sensitive data that could be read anyway.
It’s worth noting that by the time the story broke, Apple had already dealt with this. It’s the responsibility of the developers to use the proper software and protect the users. The fallout from this is that Apple will likely be even stricter with its review process, checking that submissions use the official Xcode app.
If companies are concerned about this, they can use MDM and MAM to prevent employees from downloading apps to company supplied phones that aren’t approved. Again, as iOS apps are sandboxed and data is encrypted by default, the chance of anything bad happening is minimal.
In the grand scheme of Malware, if this is the worst the hackers were able to do, it shows that Apple is actually doing a good job and will only serve to reinforce that developers should be using the official tools.