Apple has had a long-standing reputation for high-quality content in the App Store, mostly due to the strict requirements it sets forth for app developers who want to sell their content there.
Basically, the tech giant puts up a “my way or the highway” set of requirements if an outside software company wants to make money off of Apple’s customers; this level of strict protection has made the tech company very, very popular with consumers around the world. When news came out earlier this month that more than 200,000 Apple consumers’ accounts had been compromised by hackers, the fault was immediately discovered to be the customers’ own actions. By stripping away the protections that block Apple devices from downloading apps from third-party websites—a practice known as “jailbreaking”—those affected consumers had left the door wide open for malware to infect their phones and tablets.
Now, however, a new breach has been discovered in China’s legitimate Apple App Store. Hackers first used malicious code to create a fake version of Apple’s app development software, Xcode; content creators who accidentally used the fake version—what researchers are calling XcodeGhost—to produce and then sell their apps unwittingly incorporated malware into their apps. When consumers bought these apps from the Apple App Store, the malicious software came with it. But once again, the blame goes back to the consumer, in this case, the one who used the faulty software. According to one news source on the infectious breach, downloading the correct version of the Xcode software directly from Apple can take a long time due to its file size, and anyone still paying for data per gigabyte would pay more to download it. Developers looking to speed things along downloaded the fake software from websites that promised a faster, easier download.
Interestingly, the malicious software hidden in these apps made with XcodeGhost targets the device’s clipboard (where you put content when you go to copy and paste it). Users who store their passwords so that they can just press Paste to login are potentially vulnerable, and users who take advantage of a password storage app could be as well. While Apple begins the process of removing apps made with XcodeGhost and works with developers to rewrite and relaunch them, this is a good time for consumers to do a quick inventory of their mobile devices.
There’s no reason to believe a similar method of attack can’t happen in any App Store around the world, so it’s important to make sure you’re practicing safe app downloading practices. Never download content that isn’t intended for your device by using a “jailbroken” phone or tablet, and even if you are using the legitimate App Store for your content, take a close look at the reviews of the app and the permissions it requires in order to function. Be very careful with your passwords, and avoid the temptation to store them in your phone just to avoid having to type them each time you need them. You can save yourself a lot of headache later by only using vetted, highly-rated content and guarding your sensitive data.