Apple taking steps to prevent another large-scale App Store breach

The Californian tech giant's senior vice president of worldwide marketing said that Apple will be providing official Xcode software to Chinese developers to avoid another security breach of its App Store.

Screenshot by Nick Statt/CNET

Apple is on the cusp of selling millions of phones upon Friday's release of the iPhone 6S range, but its big launch week was dampened somewhat when the company found that dozens of apps in its App Store were infected with malware. Phil Schiller, the company's senior vice president of worldwide marketing, said on Tuesday that steps are being taken to prevent any such occurrence in the future, according to Sina.

The source of the tainted apps was a program called XcodeGhost, a counterfeit version of Xcode, the platform used by developers to create programs for iOS and Mac. Developers in China often download Xcode from local sites due to the slow download speeds associated with sourcing it officially from Apple's US servers. The spurious version of Xcode was slipped in amongst the authentic ones on Chinese sites and downloaded by many programmers, unbeknownst to them.

"In the US it only needs 25 minutes to download," Schiller told Sina, admitting that in China getting Xcode "may take three times as long." He told the Chinese publication that, to quell this problem, Apple would be providing an official source for developers in the People's Republic to download Xcode domestically.

He added that the Californian tech giant will soon reveal a list of 25 apps it knows to have been infected. However, Schiller made sure to note that the malware is relatively harmless and that there's no evidence of it stealing any information from users that have downloaded a tainted app.

The App Store's security breach was initially reported by Palo Alto Networks, who said that 39 apps were compromised, including ones used for trading stocks and banking. Also among them was WeChat, a messaging app with over 500 million monthly users. Its developer, Tencent, has said that only users of an older version of WeChat could potentially be affected.

"We've removed the apps from the App Store that we know have been created with this counterfeit software," an Apple spokeswoman said on Monday. "We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps."

The App Store's security has historically been solid. Palo Alto Networks noted that prior to this attack only five malware-infected apps have been able to make it through the company's testing. There are over 1.5 million apps in the store.

Ryan Olsen, the firm's director of threat intelligence, told Reuters that, while the malware was relatively harmless, the attack is significant in that it proves the App Store can be compromised on a large scale.

Featured Video