U.S. Markets open in 5 hrs 8 mins

More attacks coming after biggest hacker breach in Apple app store

Aaron Pressman

Apple's (AAPL) iPhone app store was penetrated by hackers who infected hundreds of apps with malware -- including the Chinese version of Angry Birds 2 and WeChat -- but the malevolent programmers didn't actually crack Apple's security, they bypassed it.

The hack, which started by infecting tools Chinese developers use to write apps, is a harbinger of many to come for smartphone users, security experts warn. And that gives consumers just one more security risk to worry about amid a wave of online credit card theft, digital identity poaching and rampant Internet hacking.

"Apple has done a great job diligently protecting the app store and there really hadn't been a lot of intrusions," says Ryan Olson, director of threat intelligence at Palo Alto Networks (PANW), which helped uncover the hack. "This case is really different."

Apple has multiple safeguards to prevent hacked apps or malware from getting into the app store in the first place and includes numerous features in its iOS software to further secure the iPhone once apps are installed.

The twist in this case is that the hackers targeted app developers instead of writing their own infected app. Apple may have top-notch security, but that doesn't extend to all of the thousands of app developers across the globe. And once the infected apps got past Apple's screens and installed on users' iPhones, they could steal logins and passwords for all kinds of services. Hundreds of millions of iPhone users, mostly in Asia, were potentially affected, the security software maker Lookout has estimated. The firm has compiled  a list of known infected apps for iPhone users.


"It was just a matter of time until the bad guys found ways to make it into these curated environments," says George Kurtz, CEO of security firm Crowdstrike. "This was just the junior varsity of attacks compared to what could be coming down the pike."

The unknown hackers added their bugs to a program Apple makes called Xcode that developers use to write and update apps. Then they uploaded the infected copy of Xcode onto a cloud server in China run by Baidu (BIDU). Because the Chinese government imposes heavy restrictions on Internet use, it can take a long time for developers to download an official copy of Xcode from Apple's servers outside of the country. Some take a shortcut, looking for local copies, and downloaded the infected copy. Then the infected tools built the hackers' malware into hundreds of apps those developers produced in a way that Apple couldn't detect.

Baidu removed the corrupted Xcode files this week and Apple started removing infected apps. On Tuesday, Apple also sent developers instructions to verify that the version of XCode they have isn't corrupted. The malware-installing version of Xcode, dubbed XcodeGhost by security experts, had been available since at least last March, so there may yet be more apps that have to be removed.

The larger problem, however, is that the hackers in this case showed a path for all future hackers to follow for avoiding the security safeguards of the iPhone app store. And the tactic could easily work against the stores run by Google, Amazon and others. And that's to target the weakest link in the app security chain -- developers. Hackers probably won't be able to repeat the trick of spreading their own infected version of Xcode from a Chinese server, but they can get into developers' computers in other ways and secretly modify software.

Apple will likely modify Xcode to make it more difficult for hackers to infect the toolset and harder for infected apps to fool the company's app store security protocols. But hackers could find many other ways to penetrate developers' hardware and software to infect future apps. Hackers have had great success penetrating corporate networks by sending infected emails, for example. They've also spread malware via commonly used flash drives and collected passwords from hacked keyboards. Security experts will also be on the lookout for malware targeted at developers, but that usually is only effective after an infection has already spread.

"There is no system that is immune," says Sam Rehman, chief technology officer at Arxan Technologies, which makes cybersecurity software. "We'll see more and more of these to come."

There's not much consumers can do about it, either. Of course, there are some long-running and obvious precautions to take. Don't jail break an iPhone or load apps from unofficial sources. But because hackers will now target developers, there's not really any way for consumers to stay totally safe. Just be prepared to do some damage control if and when an infected app gets on your phone.