According to recent reports, some versions of Xcode used by developers in China have been compromised and are being used to inject tracking codes in iOS apps without developer knowledge. Unaware of the injection, those developers then released their compromised iOS apps to the App Store which were then later approved by Apple. At the time of writing this post, the compromised apps are still available in the App store (link is external). Any user who has installed and launched these compromised apps will be a victim of these tracking codes.
This is a significant compromise of Apple’s app store. Apple notoriously manually reviews all app submissions and, in comparison to Android stores, has been relatively malware-free. This is the most widespread and significant spread of malware in the history of the Apple app store, anywhere in the world.
This thing is huge. Among the affected applications is WeChat, which is used by 500 million people and installed on probably every Chinese iPhone. Here’s another article with more details, but it’s from a security software peddler, so get your salt.
I find it interesting how data-mining code injected into xcode can cause such outrage. The entire ecosystem (web, android, ios and the super-charged data-mining machine named Windows10) are built around illegal data-collection, stalking, surveillance. If that wasn’t (criminally) bad enough, this data is shared with untold 3rd-parties, who, in turn, share this data.
The only thing this hack did that can be considered illegal is the modification of someone else’s code. eula or not, the kind of data-mining, surveillance, backdoors are constitutionally illegal. Big Business and Big Government have colluded to bypass the laws of this land and it’s a shame anyone can defend this ongoing assault.
I have to admit to taking no interest in this story as it was about Apple, until I read the BBC article http://www.bbc.co.uk/news/technology-34311203. What interested me was not that this is about Apple and its infected App store. (I will still happily maintain, that the repository approach is inherently safer than the Windows, search on the Web go to a Malware site and install, system for installing software.) No! What interested me were the inherent dangers of closing and controlling the Internet.
I am currently living in China and the Internet is painful, if you try and use the Internet as is, going outside of China is slow, randomly blocked and unreliable. The effect is that most Chinese users don’t bother to leave China. It is possible to get round this, but it is not easy. I had my own VPN connected to a VPS and this was blocked after a month so I now use a commercial VPN which works but is quite slow (and paid for with foreign currency). Again the effect is most users don’t leave China, which I assume is the intention.
The effect on software in China is that it is appalling, as it relies on pirated, hacked software loaded onto local websites, mainly windows based. Even much Chinese legitimate software, is simply a machine for delivering adware to your computer (Iâ€™m thinking as I write of an English / Chinese dictionary that uses masses of system resources simply to deliver adverts of scantily clad girls to your computer). The effect is that the Chinese, are used to software horror (it has become normal). Almost no one uses open source tools if you want to partition a computer no one uses gparted or similar, they will use an old, hacked, pirated version of some horrible proprietary software. This is a symptom of a closed web where users are making do with what they have available, rather than being able to engage with the world.
It comes as no surprise that rather than going to Apple’s website to download the Xcode installer, a process that would require a VPN, would be an unreliable download and could take a week or so. They did the normal thing, and got a hacked pirated version, that was easily available from a Chinese website.
There are a few lists of compromised applications posted on various sites. One list, attributed to research by Fox-IT, has numerous applications that are popular in the West on it. WinZIP, for example, was on the list.
Don’t be fooled into thinking this is a problem only in China, It is an international problem. Many Western companies outsource software development to China, or have developers in China.