Hackers Burrow Into Apple's Walled Garden

 

The Apple app store is often described as a "walled garden" - a picturesque image that suggests a serene idyll, a haven from the bustle and dangers of digital life. What it means is that Apple strictly controls what makes it into the App Store, vetting each app to make sure its security (among other features) is up to scratch.

Apple has sold more than 700 million iPhones to date, according to chief executive Tim Cook, yet the App Store has proven much more secure than the Android app ecosystem, because the latter doesn't have a single quality control system.
So the news that the walled garden has a rather nasty infestation is important. Several Chinese apps were discovered to contain code that could steal user information.

Apple has removed them, but these weren't knock-off stock or weather apps deliberately created to attack private information. Instead, several blue chip apps were stealthily compromised.  WeChat, China's answer to Whatsapp, was among them: it has around half a billion users.

Tencent, which owns WeChat, said its initial investigation had not shown that any of its users' information had been stolen.
Apple's reputation for security will probably survive, even if the walls of its garden could maybe do with a lick of paint. Given the number of iPhones Apple continues to shift, some sort of security breach was inevitable, and the Cupertino-based company has acted swiftly.

The fact that Chinese apps were infected is interesting for two reasons:

First, China is on track to become Apple's biggest market: it sold more iPhones there than in the US, according to its latest results. That makes iPhone users in China a bigger target, to criminals and perhaps others.

Secondly, this attack was more sophisticated than making a dodgy iPhone app, then hoping it makes it through the App Store (which has happened in isolated cases), and then that people download it.

Instead, they came up with a fake version of developer tool XCode, and tricked app developers into using it to build their apps. So the legitimate app developers were building apps from code that had already been compromised.
It's very elegant attack, one that requires skill and resources. It's also an approach the CIA considered, according to The Intercept, in a report based on documents supplied by Edward Snowden.

The Chinese government has long taken a keen interest in its citizens' Internet activities.
Identifying who's behind a hack is incredibly difficult. But Apple's success exposes it to some of the most motivated and best-funded hackers in the world, be they criminals or nation states, both in China and the rest of the world.
It might have to build those walls a little higher.
Sky: http://bit.ly/1Lt2GAJ

« Six Emerging CyberSecurity Risks
21 Announces the Bitcoin Computer »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Freshfields Bruckhaus Deringer

Freshfields Bruckhaus Deringer

Freshfields Bruckhaus Deringer is a global law firm with a track record of successfully supporting the world's leading corporations, financial institutions and governments.

Morgan Lewis Law

Morgan Lewis Law

Morgan Lewis is an international law firm with offices in North America, Europe, Asia, and the Middle East. Practice areas include Privacy and Cybersecurity.

France Cybersecurity

France Cybersecurity

France Cybersecurity represents the French cybersecurity industry to raise international awareness of French cybersecurity capabilities and solutions.

Competence Center for Applied Security Technology (CAST)

Competence Center for Applied Security Technology (CAST)

CAST offers a range of services in the field of secure modern information technology and a contact point for all questions regarding IT security.

NESEC

NESEC

NESEC is a specialist in information security consulting services and solutions.

European Business Reliance Centre (EBRC)

European Business Reliance Centre (EBRC)

EBRC is a leader in integrated Data Center, Cloud and Managed Services and a Centre of Excellence in Europe in the Management of Sensitive Information.

Redjack

Redjack

Redjack is a cutting-edge network analytics company focused on enterprise and ISP security and intelligence solutions.

Trusted Knight

Trusted Knight

Trusted Knight is a leading provider of security software solutions focused on defeating newly developed malware and crimeware trojans.

BA-CSIRT

BA-CSIRT

BA-CSIRT is a center which is dedicated to assist and raise awareness among citizens and the Government of the City of Buenos Aires in everything related to information security.

Sopher Networks

Sopher Networks

Sopher is a secure communication and collaboration platform for business and personal use.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

PKI Solutions

PKI Solutions

PKI Solutions offers Public Key Infrastructure (PKI) products, services, and training to help ensure the security of organizations now and in the future.

e-Xpert Solutions

e-Xpert Solutions

e-Xpert Solutions is a company specialized in the Information Security field since 2001. Our skills are strong technical expertise and the development of tailor-made solutions.

Mitigo Group

Mitigo Group

Mitigo offers a well considered and effective approach to keeping businesses completely secure from any digital attacks.

InnovateHer

InnovateHer

At InnovateHer, our vision is to make the tech sector more equitable, by increasing diversity across the spectrum and creating more inclusive workplaces.

Anjolen

Anjolen

Anjolen provides expertise in cybersecurity, compliance and cyber forensic services.