Apple’s App Store suffers first major attack

21 Sep 2015 | Author: | No comments yet »

Apple China apps hacked.

(Reuters) – Apple said on Sunday it is cleaning up its iOS App Store to remove maliciousiPhone and iPad programs identified in the first large-scale attack on the popular mobile software outlet.Some of the most popular Chinese names in Apple’s App Store were found to be infected with malicious software in what is being described as a first-of-its-kind security breach, exposing a rare vulnerability in Apple’s mobile platform, according to multiple researchers.In a time where ISPs are slowly looking to turn the screw on their users by applying data caps and forcing said subscribers to pay more for data that was previously unlimited—or, at least, capped pretty high—Apple is taking an approach with its new Apple TV that might not help the situation much. The company disclosed the effort after several cyber security firms reported finding a malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate apps.

The applications were infected after software developers were lured into using an unauthorised and compromised version of Apple’s developer tool kit, according to researchers at Alibaba Mobile Security, a mobile antivirus division of Alibaba Group Holding Ltd. It even brought onstage a doctor associated with a new app that lets clinicians view patients’ appointment schedules and see vital signs, such as heart rates, via the Apple Watch.

According to numerous reports, apps for the Apple TV are limited to a whopping 200 megabytes of “static resources” on the Apple TV (even though the device will come with either 32GB or 64GB of total storage). The list of recently compromised iPhone and iPad apps includes Tencent Holdings’s popular mobile chat app WeChat, Uber-like car-hailing app Didi Kuaidi, and a Spotify-like music app from internet portal NetEase. A search of the term “mobile health” in the Apple App Store produces 22,755 programs that purport to do everything from consolidating personal health records to triaging symptoms. Still, he said it was “a pretty big deal” because it showed that the App Store could be compromised if hackers infected machines of software developers writing legitimate apps.

In separate statements posted to social media over the weekend, Tencent, Didi Kuaidi Joint Co. and NetEase said their applications had been compromised but said no sensitive customer information had been lost. “At present, we haven’t discovered any loss of user information or assets as a result of this [breach], though the WeChat team will continue to monitor and do tests,” Tencent said in a message posted to the Sina Weibo microblogging service late Friday. One app can even turn a smartphone into a medical device designed to diagnose patients with sleep apnea when a single-lead electrocardiograph (ECG) is connected to the phone. Knowing how and when to load new assets while keeping your users engaged is critical to creating a successful app,” reads a developer reference from Apple, as reported by 9to5Mac. The tainted version of Xcode was downloaded from a server in China that developers may have used because it allowed for faster downloads than using Apple’s U.S. servers, Olson said. Though the process is certainly good for saving space on local storage, if that’s really much of a concern on one’s Apple TV, it does mean that users could find themselves with some significant bills for extra data use if they’re frequently opening apps whose core content needs to be constantly re-downloaded.

Chinese anti-censorship activist group called it “the most widespread and significant spread of malware” in the app store’s history. Asked whether it was possible the Chinese government was involved, Palo Alto Networks said it didn’t yet have enough information to determine who was behind the attack.

Other apps found infected with the malware include those belonging to state-run mobile carrier China Unicom, and 12306, the country’s official train-booking website, researchers said. After the 200MB initial download, users can grab an additional 2GB extra in the form of on-demand resources—that which you’re actually using at any particular time.

It wasn’t clear how the infected apps made it past Apple’s screening process, or whether the breach had resulted in any user information being stolen, though researchers said millions of devices could have been exposed based on the popularity of the apps in question. The patient might now come to an appointment with ideas on treatment options — and want to take a more active role in treatment by utilizing the tools in their app.

On-Demand Resources works in conjunction with whatever your user is actively accessing, and will flush older, unused content to make room for additional resources. To write apps for Apple devices, developers have to use a tool kit called Xcode, but downloading the official version from Apple’s website can take a long time in China.

Security researcher Claud Xiao wrote on the firm’s website Friday that criminals and spies could use the malware to gain access to iOS devices. “We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem,” he wrote. Even if a user were inclined to actually locate and read the lengthy terms and conditions, there’s no way to determine if the app was created with the involvement of a medical professional.

The Food and Drug Administration has announced that it will only evaluate mobile medical device apps that are complex in nature, such as controlling delivery of insulin to a pump; serving as a de facto medical device like a glucometer; or using patient-specific information to create a diagnosis or recommend treatment. The FDA will not, as a general rule, evaluate apps deemed to pose less risk, such as those that inform or assist patients in managing their disease without providing treatment suggestions, or apps that help patients track or organize health information. While traditional health care providers are bound by the strict requirements for protecting the confidentiality of patient data under HIPAA, mobile medical apps are not. For example, one policy says: “To ensure that your information is secure, we have in place commercially suitable physical, electronic, and managerial procedures.

Nevertheless, the transmission of information via the Internet is not completely secure and we cannot guarantee the security of data sent to use.” Additionally, the app is likely to collect, in the words of one policy, “location data, IP address, dates and times of access, which pages you view, information about your illnesses, symptoms, diagnoses, time of incidence of the illness or symptoms, and information regarding the relationships you have with people and or locations.” The app may also reserve the right to “disclose your information to third parties” without any word on who those third parties might be.

Here you can write a commentary on the recording "Apple’s App Store suffers first major attack".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site