XCodeGhost
-
This level of stupidity deserves its own place.
Know what the whole deal with the latest iOS exploit is? Very simple.
Some stupid Chinese developers, instead of downloading XCode from the official Apple site, decided to download it from an unsecure source (Dropbox or GDrive) which, of course, was hacked and injects malicious code on the built software. Now, you would think those are the Chinese developers of the usual crapware you can find in the App Store, but you'd be wrong. This "developers" are the ones behind some of the most popular apps in China like WeChat, CamCard or Didi Kuaidi.
Now, you'd think this is limited to the Chinese because, well, Chinese labor. You are wrong again, because stupidity is not limited to those behind the Great Firewall. Here are some Chinese and non-Chinese iOS apps infected:
LifeSmart
OPlayerHD Lite
WeChat
WinZip
10000+ Wallpapers for iOS
Angry Birds 2 (china)
Camcard Business
CamScanner
SegmentFault
Mercury
Musical.ly
PDFReader
Perfect365
White Tile
iHexin
MoreLikers2
MobileTicket
iVMS-4500
Qyer
Golfsense
MSL108
ChinaUnicom2x
tiny deal.com
Snapgrab.copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
BiaoQingBao
SaveSnap
Guitar Master
jin
WinZip Sector
Quick Save
Didi Chuxing
Micro Channel
Railway 12306
The Kitchen
Freedom Battle
Marital bed
NetEaseEdit 1
For how long has this been happening? No one knows, but it could be months.
Now, is this Apple's fault? I don't think so. I mean, for as much as you can test the apps during the certification process, this probably happened with updates (which are not thoroughly tested as new ones) and from well known sources. So I understand Apple's employees confidence on the quality of those apps and not thinking: maybe this morons sent some infected shit.
Edit 2
This guys seem to maintain a good list: http://9to5mac.com/2015/09/21/xcodeghost-infected-apps/
Rovio has advised that only the version of Angry Birds 2 in the Chinese App Store was affected.
-
So let me make sure I understand this: When I wrote an iOS app for my last company, Apple rejected it because we had a link in the main menu to our online help and getting started guides, which was somehow Not Cool™. But these guys can use a hacked XCode which generates malicious apps, and they make it through?
-
-
WinZip
That's a thing, still?
nice dev
After this, many people might question that.
WinZip Sector
Oh, more than one?
Kinda relevant (money shot about 15 seconds in, timestamp set to where it is to keep some semblance of context):
https://www.youtube.com/watch?v=k2R6bwxQqs8&feature=youtu.be&t=20m40s
Edit: beaten to the punch by @aliceif while looking for the timestamp! Grrr!
-
Well, that's a functional thing any 2¢ tester can see. A malware build, not that easy.
-
Yep:
That's a thing, still?
Why I can't navigate a fucking web page without iTunes? Stupid Apple.
-
Your link sends me to iTunes download page. For Windows. Well... that's nice.
-
Yeah, me too. You need another malware to navigate Apple's app store: iTunes.
-
That link tells me that this App is not available in Germany ... which probably means that your attempt would have been futile nonetheless.
-
So much for : walled garden, because Security !
-
Next step for Apple:
"You send us your source code, we'll build it."
-
Even if they do, Microsoft is working on an Obj-C compiler that spits out Windows Store apps, iirc. So you could just ignore Apple if they do that.
Though I'm sure you're joking. I mean, no one is that stupid.
-
-
Next step for Apple:
"You send us your source code, we'll build it."
The fury if that happens will be colossal because a non-trivial chunk of what ends up in the store is not entirely built from source that the user can supply.
Consider cases like Unity where the black box that is the UnityEngine is compiled in and you don't get the source code to that, so you can't just give Apple all the source code and let them build.
-
The fury if that happens will be colossal because a non-trivial chunk of what ends up in the store is not entirely built from source that the user can supply.
Which means that Apple would stand firm on it.
-
Apple is stubborn but not stupid. There is quite an ecosystem out there that Apple doesn't want to piss off.
Bear in mind: this would be the second time they tried it - http://www.alphr.com/news/357121/apple-bans-flash-from-iphone-and-ipad for example.
-
Some stupid Chinese developers, instead of downloading XCode from the official Apple site, decided to download it from an unsecure source (Dropbox or GDrive) which, of course, was hacked and injects malicious code on the built software.
...wait, isn't XCode free?
WTF were these people thinking?
-
...wait, isn't XCode free?
WTF were these people thinking?
Couldn't download it very quickly apparently.
Apple are now providing local Chinese download sources for it.Chinese app developers have told Reuters they resorted to downloading the tainted software kit for developers from unofficial, third-party sources because of slow speeds downloading from Apple's official servers located overseas. Many complained the U.S. tech giant should do more to support developers in the company's second-biggest market.
-
Though I'm sure you're joking. I mean, no one is that stupid.
I am, but since my work (if I ever get started on it) will be a research project rather than something literally billions of people rely on daily, I think I can afford to get away with it.