Thousands of iOS apps infected by XcodeGhost

24 Sep 2015 | Author: | No comments yet »

Apple hack exposes flaws in building apps behind ‘Great Firewall’.

Ever since Apple let slip in June that the latest version of its operating system for iPhones and iPads would enable ad blocking, the discussion of the looming apocalypse for ad-dependent publishers has been impossible to avoid — unless you’ve installed ad-blocking-discussion-blocking software, of course. Beijing: China’s ‘Great Firewall” may have been partly to blame for the first major attack on Apple Inc’s App Store, but experts also point the finger at lax security procedures of some big-name Chinese tech firms and how Apple itself supports developers in its second biggest market.Beijing: Apple Inc has removed some applications from its App Store after developers in China were tricked into using software tools that added malicious code in an unusual security breach.When Apple introduced its latest tablet computer earlier this month in San Francisco, CEO Tim Cook called the iPad Pro—a large-screen tablet with a detached keyboard—the “clearest expression of our vision of the future of personal computing.” The general reaction to this, once people stopped tweaking Apple for reinventing the Microsoft Surface, was applause.

A study released in August showing growing use of ad blockers on computer Web browsers also fanned the flames, but the fear that the practice is about to engulf the much-faster-growing mobile world is most intense. A malicious programme, dubbed XcodeGhost, hit hundreds — possibly thousands — of Apple iOS apps, including products from some of China’s most successful tech companies used by hundreds of millions of people. Now the adblockalypse would appear to be upon us, with iOS9 installed on more than half of Apple mobile devices and an ad- blocker called Crystal atop the paid-download list in Apple’s App Store.

Palo Alto Networks, the US internet security company that spotted the problem, says the attacker could send commands to infected devices that could be used to steal personal information and, in theory, conduct phishing attacks. Like many others, I’m guilty of snoozing my alarm clock in the morning, at least once or twice, just to get one last relaxing moment with my bed before starting a long day of work. This has brought some drama: Marco Arment, developer of an even faster-selling ad-blocking app than Crystal, abruptly pulled it from the App Store, saying that while ad blockers “do benefit a ton of people in major ways, they also hurt some, including many who don’t deserve the hit.” Humor, too: the Onion actually devoted one of its American Voices person-on-the-street columns to Arment’s decision. Companies affected by the XcodeGhost attack included Tencent Holdings Ltd, one of the world’s biggest internet firms, and Uber Technologies Inc’s biggest challenger, Didi Kuaidi, which just completed a $3 billion (Dh11.01 billion) private fund-raising round.

Apple’s strict nine-minute snooze policy is personally annoying: It gives me just enough time to fall asleep again for a few minutes, which doesn’t help me wake up. It seemed clear that the company intended to move its personal computers “into a more iPad/iPhone-like ecosystem, where Apple gives you permission to use the computers you buy in only the ways Apple considers appropriate.” Is Apple planning to make all its personal computers iOS devices at some point? More than any other major computing platform, iOS limits customer choices to those Apple deems appropriate—in large part by forcing software developers to get permission before selling, or even giving away, the apps that run on the platform.

That’s partly because the iOS change targets the Safari browser; the majority of users who consume media on smartphones via social networks and other apps aren’t affected. Here’s an ad executive, quoted in a 1987 Philadelphia Daily News article, fretting about the rising popularity of videocassette recorders: “When a viewer records a network program to play it back at a later time, they often zip through the commercials or they zap them out entirely. Some Chinese firms had said they were pushed to download Apple’s developer toolkit from unofficial sources in China because of the slow internet speeds when connecting to international services. The country’s censorship architecture, dubbed the Great Firewall, does not block app developers from downloading the official version of Xcode, but the controls, along with low investment in infrastructure for international connections, make using services based outside China a painful process.

Hackers are increasingly looking for new ways to target mobile apps and devices, including iPhones, because they are so widely used by many consumers, added Darren Hayes, a cybersecurity expert at Pace University in New York. The world’s second-largest economy has average internet speeds more than three times slower than those in the United States, according to online content delivery firm Akamai’s latest State of the internet report. The creators of this malware took advantage of public frustration with Beijing’s internet filters, which hamper access to Apple and other foreign websites. I personally find native advertisements an abomination and find it peculiar that the Times, which fancied itself the arbiter of ethics in the world of journalism, would so easily adopt the idea.

Same with DVDs, DVRs, pop-up ad blockers and a long series of other supposedly existential technological threats to media that turned out to be largely harmless or even a boon. Software developers unwittingly downloaded and used development tools that had been modified, so when they uploaded their apps to Apple, the apps were infected. The size of that contribution to the tech giant’s bottom line has fuelled resentment among some of the Chinese firms who are making those apps, who complain of lack of support. Due to the large size of the Xcode file, “some Chinese developers choose to download the package from other sources or get copies from colleagues.” Companies with apps that were affected include taxi-hailing service Didi Kuaidi, Citic Industrial Bank, China Southern Airlines and the music service of NetEase, a popular Web portal, according to the newspaper Yangcheng Evening News.

Neither they nor Apple caught the hack until some number—it’s unclear how many—of users had installed the malware-laden apps, including versions of several hugely popular ones such as WeChat, on their devices. There is a natural human need to have businesses proposition you with goods and services and vice versa.” This doesn’t necessarily mean, though, that they will keep doing that propositioning in the same ways and via the same channels.

If Apple had provided a local, quick source for the official Xcode software sooner it could have avoided the problem, said software developer Feng Dahui. But regardless of the challenges facing them in China, many app developers and security experts said the tech firms themselves bear the most responsibility for the attack, which has affected mostly Chinese companies and users so far. Apple has made itself into what security experts call a “single point of failure”—where whatever goes wrong can affect many other parts of the ecosystem that no one can avoid using. (Example: A massive outage on Amazon’s web-services platform this week created an “outage spiral” for some of its customers, and their customers.) Apple’s tight grip on iOS has another worrisome element: the app approval process that goes way, way beyond security and into the content of the app itself.

It is at least worth considering that this really is the beginning of the end for most advertising on the Internet, at least advertising of the kind we’re used to, and find so irritating. Apple is asserting that it has the right, and the duty, to prevent its customers from seeing things that Apple, in its sole judgment, considers offensive or fotherwise objectionable. Ad blocking will have a negative impact on a lot of online services that rely on advertising if too much of it is dependent on banner and display ads. It is often attributed to the way advertisers track consumers across the Internet, clogging up their browsers, invading their privacy and sometimes just creeping them out.

It will force many advertisers to adopt a pay-per-click model and risk being scammed by advanced robots that will be coming in from fake IP addresses and clicking though ads as if they were interested customers. In the most recent case, journalist Dan Archer found himself stymied by the Cupertino content cops when he tried to ship an app that combined virtual reality with politics.

Above all, though, expect the steady march of native advertising that will eventually overtake legitimate editorial content written by staffers and freelance writers who cannot compete with free content that a publisher is paid to utilize. Such advertising can be counterproductive — the underpants thing has been happening to me lately, and I think it has convinced me never to go near any online outpost of underwear seller Mack Weldon again — but that effect is hard to measure, while the tiny percentage of people who click through on the ads and buy stuff are of course easy to count.

It is instead the online equivalent of junk mail or late-night TV infomercials: technology-enabled, data-driven, personalized pitches intended to get us to buy something now. Blogger and marketing prophet Doc Searls thinks the key to fixing online advertising is to make this kind of targeted advertising — he calls it adtech — much harder: “In marketing lingo, adtech is a form of direct response marketing, which is descended from the direct (aka junk) mail business, not from Madison Avenue. “The baby in the adblock bathwater is Madison Avenue, which has paid for nearly everything on newsstands, radio and TV since their beginnings. Even if we didn’t like ads fattening our magazines or interrupting our programs, we knew the economic role they played, and we appreciated their best work.” The problem with this proposal is that mass-market, Madison-Avenue-style ads have never been very successful on the short-attention-span, increasingly small-screen Internet. If they think someone might be offended by something in their story, assuming it’s not illegal in the first place (and very, very little speech is illegal), they should set aside an area for people who want to check out material that others might find deeply offensive.

Or Apple hires the same writer, pays that person $1,500 to write the review under company supervision and then pays the magazine $2,500 to run the review as a native advertisement. When they try to command users’ attention by delaying access to articles or with auto-playing videos, they’re just as irritating as ad tech, and are in fact a major target of current ad blockers. Buzzfeed is trying hard to come up with forms of brand advertising that people actually want to share online, and that will surely be one path to survival for ad-supported media companies. But the ability to target and track individual users is such a big part of what Internet advertisers do that it’s hard to imagine them giving up without a vicious fight. What makes it work is that the consumer of the information—that’s you, the public—does not seem to understand what is going on or even care. “It was an interesting review.

The “cookies” used to track me also make it possible for me to read the Financial Times and Wall Street Journal online without having to log in every danged time. The Verge’s Nilay Patel argues that Apple’s iOS9 ad-blocking move was aimed squarely at archrival Google and its central role in the existing Internet advertising infrastructure. Doc Searls has in the past described a vision, which I find extremely appealing, of an online world in which individualization and targeting are possible, but the consumer controls the process.

Here you can write a commentary on the recording "Thousands of iOS apps infected by XcodeGhost".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site