Hackers have finally breached Apple's security but your iPhone's probably safe (for now) ...

Cyber security experts recently discovered that the almost impenetrable Apple App Store had been hacked. While cyber break-ins have become routine news for many companies, Apple has long prided itself on providing technology for its phones and tablets that was incredibly secure.

This was done by controlling how developers – the people who create your apps on your device – not only create their code but also upload it on to the app store. Steve Jobs ensured that Apple would check each app before it entered the marketplace, as well as the developers themselves, and the firm has enforced tight controls on what the devices could access.

This meant that Apple mobile products arguably were (and probably still are) the most secure you could buy. However a new attack dubbed XCodeGhost has done a great job of undermining Apple’s otherwise strong security.

The attack method used was cunning and, in a technical sense, impressive. Rather than attack the devices or the App Store, the hackers compromised the Xcode framework, the underlying programming system used by developers to create the apps. This is akin to poisoning a city’s water supply at its source rather than attacking the settlement’s buildings or army directly.

App developers use a suite of software known as Xcode to create programs for Apple devices. Within this is a large library of functions that enable each created app to talk to the underlying phone or tablet. Each library function has different roles, from allowing you to share your location to making your phone sound like a light sabre when you wave it around.

The hackers created a malicious program (malware) that used the internet to seek out Mac computers with Xcode installed, gambling on the possibility that some of these devices were used to create apps for the Apple App store. It then dropped contaminated code library features into the Xcode system. These will appear to do what the app developers programmed them to do but also capture and send personal data from your device back to the hackers.

Malicious intent Shutterstock

Security experts are concerned that this innovative attack leaves Apple open to future attacks. It attacks anyone who has this coding environment installed on their computer system and compromises the code before it enters the secured systems offered by Apple.

Not only is this embarrassing for the company, as their checks clearly missed this compromise. It is also embarrassing for the many developers affected as their own internal security and anti-malware processes have been compromised.

What does this mean for you?

If you are the owner of an iPhone or iPad, there is nothing you can do. Apple has never offered Apple device owners the opportunity to protect their own technology. Apple has owned this, controlled this and until recently has been very successful in protecting its products.

Android-powered devices have historically been relatively vulnerable to an excess of 40,000 types of malware. The equivalent number for Apple devices remains very low. However, this new and interesting attack means that attackers have established an alternative route into your device, through the framework used by app developers. They only need one compromised app from one compromised developer machine to be successful.

Different experts have already found multiple apps, such as Angry Birds 2, that are infected. Many of these apps are being updated in earnest by their creators to patch the security breach and new versions are automatically being installed on your iPhone or iPad. If you are ultra concerned you can delete the app and re-install in a few days time when you know it has been secured.

In order to prevent further breaches, Apple must review its security policies and how it checks all code before it enters their App Store. It also means that the onus is on all developers to improve the way they scan their own systems. Otherwise, Apple will refuse to allow them to participate in this otherwise very successful and secure system.

The Conversation
Andrew Smith, Lecturer in Networking, The Open University
This article was originally published on The Conversation. Read the original article.

Comments

Post a Comment

Popular posts from this blog

So, what do you think about simulation ...

Ok, this is not a scientific study, the audience participation is likely to be from a self selecting group etc. So lets call this a poll amongst friends, followers and like minded. A question that is structural to my research is ... Do you think simulation can replace real hardware, when teaching networking? To remain fair, I am not going to share my opinion as it is biased and please don't try and answer this to please me (as I really don't know who will be answering and if you know me, you will know that it won't). Please take a look at the top left of this blog and based on your personal opinion, answer either yes or no. You do not have to be an expert, or an academic or even a teccie, everyone's opinion in this context counts. The opinions below are valid view points, but must not contribute to your own independent decision, please complete the question before reading these. =================================...
Read more

If airlines offer in-flight Wi-Fi, they should invest in an extra black box for security ...

Image
Yijun Yu , The Open University and Andrew Smith , The Open University In-flight Wi-Fi is one of the most sought-after facilities for air travellers these days, now that laptops and smartphones are so common and so much of our working and personal life revolves around online services. But a US Government Accountability Office report has suggested that many in-flight wireless networks could expose the plane to being hacked or remotely controlled . In fact it’s of such a concern to US authorities that when a well-known computer security expert made an admittedly ill-thought-out joke about doing so on Twitter, he was promptly arrested, his computers confiscated, and subsequently banned from the airline . And all he was suggesting was to make the oxygen masks drop down. So it would appear that the stuff of Hollywood may jump from fiction to fact: Liam Neeson and Julianne Moore starred in the 2014 film Non-Stop , where a passenger hacking the aircraft’s internal wirel...
Read more

It is not about buildings ...

Recently I visited a Cisco Academy in London - located in what I can freely describe as a humble environ. However, the quality of the kit and the skills and motivation of the teaching team put it all into perspective. It really isn't about the buildings. Yes, in other roles - I have been to centres boasting the best/shiniest/fab new builds. Yet from the resource and mindset of those involved. I think that the modest building and the excellent team beats a pretty site any time.
Read more