Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Apple wages battle to keep App Store malware-free

Jeremy Kirk | Nov. 5, 2015
Thousands of apps have been found in recent weeks with potentially malicious components.

A few days later, the mobile security company Appthority found 476 apps infected with XcodeGhost. Then FireEye said the problem was much worse: it uncovered 4,000 apps containing XcodeGhost.

The larger question is how the apps were able to bypass Apple's review.

David Richardson, an iOS expert with Lookout Mobile Security, said it's often hard to figure out at first glance the intent of an app.

Many of the capabilities built into XcodeGhost and the mobiSage SDK were not dissimilar to technologies used by ad networks or analytics platforms that Apple allows, he said.

But it was clear that the counterfeit version of Xcode didn't come from Apple, which was a big tipoff to malicious intent, Richardson said.

The mobiSage SDK case is more fuzzy: the ad library doesn't do anything outright malicious, which is possibly why Apple gave it a pass to the store, Richardson said. 

Still, FireEye labeled the apps using it as "high risk" in its blog post.

Claud Xiao, a security researcher with Palo Alto Networks, said how Apple reviews apps for security is largely a mystery.  

"Nobody knows how they do it," said Xiao, who did extensive research into XcodeGhost.

There are a couple of methods for reviewing code. Static analysis looks at individual lines of code, while dynamic analysis watches how an application behaves.

But malware writers have long used advanced techniques to obscure what they're doing in order to evade security scans and code reviews, Xiao said.

A cursory review of an app may not be able to detect if one was developed using the counterfeit version of Xcode or the legitimate version, he said.

The XcodeGhost and the mobiSage SDK problems show that Apple's code reviews are "not as perfect as we thought before," Xiao said.  

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.