Posted by Kevin on October 12, 2015.
Apple’s iOS has suffered one of its worst ever malware breaches with xCodeGhost. Is it time to consider whether the structure of Apple’s walled garden needs a rethink?
Multiple iOS apps – including some very popular ones – have been compromised via a poisoned version of the Xcode software library. It would appear that a bad actor modified the library and then uploaded it to Baidu. From here it was downloaded and used by multiple app developers.
Just how many apps have been affected is unclear. FireEye has said that it found well over 4000. Apple’s own FAQ names 25 infected apps, and says the number of potential victims would drop dramatically once this 25 have been taken into account. Apple is clearly playing down the problem. Appthority claims to have identified 476 affected apps; but makes a worrying comment: “We had a closer look at the data and were able to track the start of the infection to April 2015.”
“Infections started back in April 2015”
xCodeGhost wasn’t known in the West, however, until Palo Alto’s series of blogs starting 17 September. That’s an unknown, unknown infection running for five months with no remediation. As it happens, xCodeGhost was an unloaded gun; malware capable of downloading serious spyware, but not – as far as anyone can tell – ever used in anger. Appthority says, “The identified versions of XCodeGhost actually behaved more like AdWare or tracking frameworks rather than malicious malware.”
Nevertheless, Apple’s much vaunted walled garden security was breached in a major fashion over an extended period of time. One question that Apple must ask itself now is whether this incident will have any serious effect on its security reputation. We asked a bunch of CISOs from the Wisegate community if it would affect their company BYOD policy.
The very clear response is that, no, it won’t. But this doesn’t seem to be based on any specific trust in Apple, but more in the recognition that the choice of BYOD devices is up to the user rather than security officers. Fully 80% of the CISOs replied that xCodeGhost will make no difference to their existing BYOD policy – which is to place no restriction on any particular make of device. Not a single CISO said his company only approves Apple devices.
Two extremes were held equally. Just over 15% said their company does not allow any personal devices anyway; while another 15% gave a metaphorical shrug of the shoulders: ‘malware is just a cost of business if that business includes BYOD.’ Deal with it.
“I see this as a win for Apple”
There is a possibility, however, that this lack of concern from the world’s security practitioners is partly felt simply because of the very strength of Apple’s security reputation. One CISO commented, “I see this as a win for Apple – it shows how strong their ecosystem is in protecting the end user or company. In order for malware to get on the iPhone, hackers had to trick developers into downloading a bad version of Xcode. The developers were from China and downloaded Xcode not from Apple, but a 3rd party. Hopefully, the developers will only get Xcode from Apple from now on… To me, if you have to go through these hurdles to get malware on a phone that was quickly identified and neutralized, then that’s a very high security standard indeed.”
In reality, of course, we have subsequently learned that the malware was neither quickly discovered nor quickly neutralized. And that leads us to another question: Is it now time for Apple to make some modifications to its walled garden? More specifically, should it finally allow the anti-malware industry access to the inner workings of iOS so that they can develop the software that is likely to detect any future breaches in much less time than 5 months? I suspect that it is – but there’s no sign of it yet.Submitted in: Perspectives |