While the Scare Fell Flat, XcodeGhost Tale Holds Lessons

By Robert Lemos  |  Posted 2015-09-28 Print this article Print
XcodeGhost attach

Apple's Security Net Does Have Holes

Apple has had great success by combining its signature-checking Gatekeeper software on clients with automated and manual checks of software uploaded to the App Store.

However, the XcodeGhost incident highlights how hard it is for Apple to determine, by looking at the program, whether information-collecting features of a known application are malicious, said David Richardson, iOS product manager for Lookout.

"They can only validate that an app does what it claims to do," he said. "To Apple, the changes made by XCodeGhost just look like they developed added new features or a new analytics framework."

Yet Apple also emphasized how difficult it is for developers to have used the compromised version of Xcode. The company pointed out that legitimate Xcode software is code-signed by Apple, and when the software is downloaded from the App Store or from the Apple Developer Program site, the operating system will check the signature of the software.

"Apple incorporates technologies like Gatekeeper expressly to prevent non-App Store and/or unsigned versions of programs, including Xcode, from being installed," the company said in a statement. "Those protections had to have been deliberately disabled by the developer for something like XcodeGhost to successfully install."

Apps Update Quickly on Mobile Devices

XCodeGhost also underscored how quickly an updated program can spread through legitimate channels. While PC viruses needed to find ways to move from one machine to the next victim, a malicious application that gets through the Apple vetting process will spread very quickly.

Such an automated update mechanism puts even more pressure on the software developer—or the application distributor, Apple—to catch any bad software, says Lookout's Richardson.

"The software on your phone is constantly updating; sometimes it happens without your really knowing," he said. "It definitely holds the potential for a mass infection of a large number of devices."


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel