Apple has long benefitted from a perception that its devices and the software that powers them are more safe and secure than the competition, but last year's high-profile iCloud hack and a recent large-scale malware attack bring Apple security into question.
Earlier this month, Apple suffered a potentially catastrophic security lapse when malicious code injected into a counterfeit version of Xcode, the company's app development toolset, made its way into hundreds (and perhaps thousands) of apps from Chinese developers. The malware affected hugely popular apps, including WeChat, which was eventually pulled from the App Store. Apple failed to detect and stop the malware from entering its "walled garden" and gaining access to an untold number of customers' iOS devices.
Apple's stringent app review process was no match for the rudimentary malicious program, called XcodeGhost, that was embedded into the counterfeit Xcode tools used by mostly unsuspecting developers in China. Apple still hasn't disclosed the exact number of apps that were infected, but the company's senior vice president of marketing Phil Schiller told Chinese news website Sina that it's not aware of any cases where malicious apps transmitted user data, according to CNBC's Twitter account.
Apple security a question of perception vs. reality
Prior to this recent attack, malicious apps made their ways into the App Store only five times, according to cybersecurity firm Palo Alto Networks, which first reported the XcodeGhost attack on Sept. 17. The scope and potential damage that could come as a result of the recent snafu are greater than previous malware attacks. The real damage, however, might be to Apple's brand and its perception of unparalleled security in the market. The company fell victim to its second major privacy scare in 12 months, and there's reason to believe that it will be subjected to more attacks at even greater frequency in the future. In other words, cracks are starting to appear in the walls that surround (and protect) Apple's ecosystem, or "garden."
Bill Anderson, chief products officer at mobile malware security firm OptioLabs, is surprised more instances of malware running on Apple devices haven't come to light, because there are no technical differences between iOS and other mobile platforms that would make it less vulnerable to attacks, he says. "They're not doing anything radically different from anyone else in the industry. They may be doing it slightly better. They may have also just gotten luckier for a longer period of time."
Anderson says the most worrisome thing about the Xcode exploit is how the relatively simple malware sailed through Apple's app review process undetected. "Why didn't the Apple tools trigger to this? If they didn't, what else are they not triggering to, and why not?"
XcodeGhost the 'largest App Store breach in history'
Apple customers take comfort in the preconceived notion that iOS devices aren't susceptible to malware, because the company checks every app carefully before they're approved for public availability via the App Store. Despite the latest high-profile security incident, Apple will maintain that perception, according to Anderson. "There could be additional Apple exploits over the coming year, and we could start getting annoyed by them … but I think [iOS] is going to hold onto that perception of being [more secure] than Android for the foreseeable future," he says.
Thomas Reed, a Mac security expert and director of software maker Malwarebytes, calls the XcodeGhost attack "easily the largest App Store breach in history" and says the incident "will erode consumer confidence in the App Store as a (mostly) unassailable malware-free fortress."
Apple's review process, paired with its goal of absolute control over the App Store, reinforces the perception that its devices are more secure. When that system fails, trusting users become victims, and over time confidence and blind faith will be called into question. "Perfectly respectable, legitimate apps turned out to be infected," Reed writes in a related blog post. "It's hard for any user to be on guard against this kind of malware. Especially on iOS, where security features in the system make anti-malware software impossible."
In many ways, Apple is a victim of its own success. "Apple's security strategy is so well-engineered that its biggest danger may be the false sense of security that it gives developers and the massive number of iPhone users," says John Gunn, vice president of communications at Vasco Data Security.
Apple and devs to blame, but iOS users need to be vigilant
The specific long-term effects of the XcodeGhost malware attack are unknown, but because no serious or particularly nefarious events occurred as a result, Anderson believes last year's iCloud-based attacks on more than 100 celebrities were more damaging. However, Apple wasn't hacked in that case; users' accounts, and the associated passwords, were compromised. "That was devastating for those people, but it wasn't a platform attack. It was just as effective as if it had been, but the platform itself wasn't really questioned."
Apple will shoulder much of the blame for failing to detect XcodeGhost, but the onus is also on developers who used infected versions of Xcode. These coders reportedly downloaded bad versions of the utility hosted on third-party sites, in an effort to avoid the latest version the software because it is so large (more than 4GB). However, they had to disable Gatekeeper, Apple's security software, to run the bootleg, infected Xcode tools.
In the future, smart users should be more vigilant, but unfortunately Apple's control over its ecosystem means customers have little recourse when breaches occur. "Users should be more worried, and unfortunately there's nothing they can do about it," Anderson says. "It's great if your big buddy Apple does everything for you, but if they screw it up there's no way to solve the problem yourself."