Hackers Burrow Into Apple's Walled Garden

Uploaded on 2015-10-07 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

 

The Apple app store is often described as a "walled garden" - a picturesque image that suggests a serene idyll, a haven from the bustle and dangers of digital life. What it means is that Apple strictly controls what makes it into the App Store, vetting each app to make sure its security (among other features) is up to scratch.

Apple has sold more than 700 million iPhones to date, according to chief executive Tim Cook, yet the App Store has proven much more secure than the Android app ecosystem, because the latter doesn't have a single quality control system.
So the news that the walled garden has a rather nasty infestation is important. Several Chinese apps were discovered to contain code that could steal user information.

Apple has removed them, but these weren't knock-off stock or weather apps deliberately created to attack private information. Instead, several blue chip apps were stealthily compromised.  WeChat, China's answer to Whatsapp, was among them: it has around half a billion users.

Tencent, which owns WeChat, said its initial investigation had not shown that any of its users' information had been stolen.
Apple's reputation for security will probably survive, even if the walls of its garden could maybe do with a lick of paint. Given the number of iPhones Apple continues to shift, some sort of security breach was inevitable, and the Cupertino-based company has acted swiftly.

The fact that Chinese apps were infected is interesting for two reasons:

First, China is on track to become Apple's biggest market: it sold more iPhones there than in the US, according to its latest results. That makes iPhone users in China a bigger target, to criminals and perhaps others.

Secondly, this attack was more sophisticated than making a dodgy iPhone app, then hoping it makes it through the App Store (which has happened in isolated cases), and then that people download it.

Instead, they came up with a fake version of developer tool XCode, and tricked app developers into using it to build their apps. So the legitimate app developers were building apps from code that had already been compromised.
It's very elegant attack, one that requires skill and resources. It's also an approach the CIA considered, according to The Intercept, in a report based on documents supplied by Edward Snowden.

The Chinese government has long taken a keen interest in its citizens' Internet activities.
Identifying who's behind a hack is incredibly difficult. But Apple's success exposes it to some of the most motivated and best-funded hackers in the world, be they criminals or nation states, both in China and the rest of the world.
It might have to build those walls a little higher.
Sky: http://bit.ly/1Lt2GAJ

« Six Emerging CyberSecurity Risks
21 Announces the Bitcoin Computer »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Telefonica Tech

Telefonica Tech

Telefónica Cyber Security Tech is focused on the prevention, detection and appropriate response to security incidents aimed at protecting your digital services.

Maryville Online - Cybersecurity Program

Maryville Online - Cybersecurity Program

The Cybersecurity Program at Maryville Online is designed to help students reach opportunities in cybersecurity leadership and management through an entirely online curriculum.

SoftLock

SoftLock

Softlock is a regional leader in Information Security providing solutions, consulting, integration and testing services to protect information assets, identities and supporting infrastructure.

Spanish Network of Excellence on Cybersecurity Research (RENIC)

Spanish Network of Excellence on Cybersecurity Research (RENIC)

RENIC is a membership based sectoral association that includes research centers and other agents of the research cybersecurity ecosystem in Spain.

Cloudentity

Cloudentity

Cloudentity combines Identity for all things with API and Application security in a unique deployment model, combining cloud-transformation and legacy systems.

Arctic Wolf Networks

Arctic Wolf Networks

Arctic Wolf Networks delivers the industry-leading security operations center (SOC)-as-a-service that redefines the economics of cybersecurity.

AXELOS

AXELOS

AXELOS develops best practice frameworks and methodologies used globally by professionals working primarily in IT management and cyber resilience.

Startups.be

Startups.be

Startups.be helps tech entrepreneurs to be successful by providing quality access to service providers, business partners, customers and investors.

UnderDefense

UnderDefense

UnderDefense provides cyber resiliency consulting and technology-enabled services to anticipate, manage and defend against cyber threats.

BOXX Insurance

BOXX Insurance

BOXX Insurance Inc. is a new type of insurance company for a new type of risk. Cyberboxx is the first fully-integrated cybersecurity and insurance solution for small-to-medium-sized businesses.

PCI Security Standards Council (PCI SSC)

PCI Security Standards Council (PCI SSC)

The PCI Security Standards Council is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments.

AT&T Cybersecurity

AT&T Cybersecurity

AT&T Cybersecurity’s Edge-to-Edge technologies provide threat intelligence, collaborative defense, security without the seams, and solutions that fit your business.

Xeol

Xeol

Software free of vulnerabilities, built and distributed by trusted entities. Our mission is to help customers secure their software from code to deploy.

ITButler e-Services

ITButler e-Services

At IT Butler, our mission is crystal clear: we are dedicated to providing top-tier cybersecurity solutions and best-practice methodologies to secure and enhance your digital infrastructure’s resilienc

Phone Monitoring Service

Phone Monitoring Service

Phone Monitoring Service provides cyber security services, ethical hacking services, social media hacking services in the USA, Canada, Europe.

Kerberus Cyber Security

Kerberus Cyber Security

Kerberus Cyber Security (formerly MintDefense) is a leading innovator in Web3 user security, dedicated to safeguarding digital assets and transactions through its flagship product, Sentinel3.