Hackers Burrow Into Apple's Walled Garden

 

The Apple app store is often described as a "walled garden" - a picturesque image that suggests a serene idyll, a haven from the bustle and dangers of digital life. What it means is that Apple strictly controls what makes it into the App Store, vetting each app to make sure its security (among other features) is up to scratch.

Apple has sold more than 700 million iPhones to date, according to chief executive Tim Cook, yet the App Store has proven much more secure than the Android app ecosystem, because the latter doesn't have a single quality control system.
So the news that the walled garden has a rather nasty infestation is important. Several Chinese apps were discovered to contain code that could steal user information.

Apple has removed them, but these weren't knock-off stock or weather apps deliberately created to attack private information. Instead, several blue chip apps were stealthily compromised.  WeChat, China's answer to Whatsapp, was among them: it has around half a billion users.

Tencent, which owns WeChat, said its initial investigation had not shown that any of its users' information had been stolen.
Apple's reputation for security will probably survive, even if the walls of its garden could maybe do with a lick of paint. Given the number of iPhones Apple continues to shift, some sort of security breach was inevitable, and the Cupertino-based company has acted swiftly.

The fact that Chinese apps were infected is interesting for two reasons:

First, China is on track to become Apple's biggest market: it sold more iPhones there than in the US, according to its latest results. That makes iPhone users in China a bigger target, to criminals and perhaps others.

Secondly, this attack was more sophisticated than making a dodgy iPhone app, then hoping it makes it through the App Store (which has happened in isolated cases), and then that people download it.

Instead, they came up with a fake version of developer tool XCode, and tricked app developers into using it to build their apps. So the legitimate app developers were building apps from code that had already been compromised.
It's very elegant attack, one that requires skill and resources. It's also an approach the CIA considered, according to The Intercept, in a report based on documents supplied by Edward Snowden.

The Chinese government has long taken a keen interest in its citizens' Internet activities.
Identifying who's behind a hack is incredibly difficult. But Apple's success exposes it to some of the most motivated and best-funded hackers in the world, be they criminals or nation states, both in China and the rest of the world.
It might have to build those walls a little higher.
Sky: http://bit.ly/1Lt2GAJ

« Six Emerging CyberSecurity Risks
21 Announces the Bitcoin Computer »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Panzura

Panzura

Panzura optimizes enterprise data storage management and distribution in the cloud, making cloud storage simple and secure.

IoT Security Foundation (IoTSF)

IoT Security Foundation (IoTSF)

IoTSF is a collaborative, non-profit organisation with a mission to raise the quality and drive pervasive security in the Internet of Things.

Monegasque Digital Security Agency (AMSN)

Monegasque Digital Security Agency (AMSN)

AMSN is the national authority in charge of the security of information systems in Monaco.

CETIC

CETIC

CETIC is an applied research centre in the field of ICT. Key technologies include Big Data, Cloud Computing, the Internet of Things, software quality, and trust and security of IT systems.

ALTR

ALTR

ALTR provide software-embedded solutions for data security and privacy.

GuardSight

GuardSight

GuardSight is a provider of specialized cybersecurity services to safeguard businesses, government, and remote workers against sophisticated cyber threats.

Wayra

Wayra

Wayra connects Telefónica and technological disruptors around the world. As their preferred strategic partner, we scale them up to accelerate their business and ours.

Norma Inc.

Norma Inc.

Norma provides the secured wireless environment (WiFi and Bluetooth) with the unauthorized AP detection, and secures your IoT assets from various threats.

Have I Been Pwned (HIBP)

Have I Been Pwned (HIBP)

Have I Been Pwned is a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach.

Cybots

Cybots

Cybots is a multinational cyber defence brand founded in Singapore in 2018 to help organizations stay ahead of increasingly sophisticated threats from cyber criminals.

Kyndryl

Kyndryl

Kyndryl has a comprehensive portfolio that leverages hybrid cloud solutions, business resiliency, and network services to help optimize your IT workloads and transformations.

Marcum Technology

Marcum Technology

Marcum Technology consultants are focused on helping you reach your company’s full potential by exploring creative ways to integrate tomorrow’s technology into your business today.

VC3

VC3

VC3 provides a full range of Information Technology Solutions and Services to hundreds of municipalities and organizations throughout the USA.

TempoCap

TempoCap

TempoCap is a European growth-stage technology fund with offices in London and Berlin. We invest across a variety of high- growth sectors including cybersecurity.

Northrop Grumman

Northrop Grumman

Northrop Grumman is a global provider and integrator of complex, advanced and rapidly adapting information technology, cybersecurity, mobility and optimized services and solutions.

NetApp

NetApp

The NetApp portfolio includes intelligent cloud services, data services, and storage infrastructure that helps organizations manage applications and data everywhere across hybrid cloud environments.