Are Apple developers on the hacker hit list?
By Goh Su Gim August 2, 2013
- Apple took down its developer site not for maintenance, but because of an intrusion
- It underlines the fact that iOS developers are being targeted more than ever now
APPLE’S developer website for its Mac, iPhone and iPad products was taken offline on July 18. Apple said it was performing unscheduled maintenance and this caused much concern among many developers, as they were unable to work on their latest code, manage existing apps or their accounts.
A few days later, on a Sunday evening (July 21), Apple released an official statement:
Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/ or email addresses may have been accessed ...
Right after the Apple declared the hack, a grey hat Turkish security researcher in London, Ibrahim Balic, claimed responsibility for the intrusion in a video posted on his YouTube channel, in which he claimed that he had filed bug reports prior to the takedown of the website.
He also tweeted: "Apple!! This is definitely not an hack attack !!!!!!!!!!!! I am not an hacker, I do security research :@"
Although there have been no further comments or statements from Apple about Balic’s claim, Apple does seem to be treating the occurrence as an intrusion. Reporters from news sites such as The Guardian which tried to contact the owners of the allegedly compromised e-mail accounts were also unable to get feedback. Most of the emails were returned.
Currently, Apple is still working hard to revive and re-launch its web services. Its progress can be followed on a real-time dashboard on the Apple site.
Now the issue is, why are developers, particularly iOS developers, being targeted more than ever? The intrusion on the developer site, though reportedly done with benign intent, brings greater attention to the importance of securing developer accounts, and the potential consequences if such accounts are compromised and misused.
This is in light of an attack earlier this year on the popular iOS Mobile developers’ forum iPhoneDevSDK, which successfully garnered victims from the big tech companies, like Apple, Facebook and Twitter and so on.
The compromised site was hosting malicious JavaScript that exploited a zero-day vulnerability in Java installations on the visitor’s machines. iOS developers understandably favour using Macs, which have historically been free of most malware issues, but in this case the presence on Java on their systems proved to be an Achilles’ heel.
This was a textbook watering hole attack, where a hacker intending to attack specific users first compromises a site those users are likely to visit, in order to gather information or access they can later use for a more direct attack against the targets – in this case, the developers who were visiting the site.
Gaining access to an application developers’ personal information, which may be used later to compromise their developer accounts, could lead to great harm for users who trust the developer’s products and reputation, particularly on the iOS platform.
Unlike Google’s Play store or other app stores for the Android platform, penetrating and uploading a tainted application into Apple’s Apps store has long been a challenge for malware authors, particularly as Apple’s strict review policies has successfully prevented much rogue application activity in the six years since the first iPhone appeared.
To get around these barriers, malware authors are now targeting the developers themselves.
Attackers with secret access to legitimate developer accounts may prove to be much harder to detect, as they could upload malicious using the stolen credentials, essentially stealing the developer’s reputation to push their products. With these accounts, attackers may also be able to manipulate and push notifications to current app users, urging them to update to a ‘newer version’ that is actually malicious.
In the worst case scenario, they may also use the official signing certificate given by Apple to the developers for approved apps in order to sign their own malicious packages. This technique allows attackers to evade detection by mobile security solutions, which usually whitelist these apps using these certificates. This in turns makes it more likely for users to unwittingly install the malicious app onto their devices.
As the user, the last thing you need is a rogue authenticated application in the App Store. Apple, of course, doesn’t want this either, which is why it is keeping the affected services down until it is certain the security issues have been fixed.
This may also possibly affect the development of applications for the upcoming iOS 7, which is planned for release this coming fall.
Goh Su Gim is the security advisor, Asia, for cybersecurity firm F-Secure.
Related Stories:
‘Apple has its head in the sand’
Apple’s security update: Anatomy of a buffer overflow
Apple updates Safari; better control over Java applets
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.