For me, this is the pertinent question: Why on earth didn’t Apple’s screening process detect and stop the XcodeGhost malware in the first place? The answer is fairly obvious, and it’s a problem that has plagued the antivirus industry from its inception.
Apple’s screening process, which doesn’t do any form of source code review, is very good at some things, and not so good at others. It makes sure an app runs as described. It makes sure an app plays by Apple’s rules (for example, that it only uses published APIs). It also looks for things like memory leaks that cause an app to allocate memory without freeing it up again.
But it’s not real good at screening for deliberate, malicious “features”of apps. Apple could, and I expect does, look for signatures of known bad things that could be in an app. But it doesn’t screen the app’s security.
In practice, this means that if your app opens and writes to a file, Apple will ensure that you’re using a published API to do that. It will make sure that your app behaves as expected with regards to that file. But if you choose to put client information into that file without encrypting it, that’s really not Apple’s concern — nor should it be, if you ask me. That is business-level security and must be applied by the developer.
So from Apple’s perspective, the XcodeGhost malware was simply a deliberate feature of the infected apps. They’d been signed by their developers, so they contained that tamper-evident seal. The apps behaved as documented.
Should Apple have looked for undocumented behavior? Perhaps. In hindsight, it would have been nice if Apple had observed the apps while they ran and looked for unauthorized, outbound HTTP connections. But how could Apple rightly know which network connections were unauthorized? If the malware was using the Apple API for HTTP connectivity, then it was authorized, right?
We can all second-guess what Apple did and didn’t do that allowed so many malware-infected apps to enter the App Store. The important thing, though, is that Apple do some second-guessing of its own. I’ll bet it is going to be taking a critical review of its app screening process and making some improvements. And so it should. But before we criticize, let’s remember that pithy saying about the horse. App screening is fundamentally a blacklist process, and you’re doomed to be “throwed”from time to time.
Sign up for Computerworld eNewsletters.