- Recent hack busts the myth of an impenetrable Apple Store
- New mode of cyber attack; application building tool targeted, rather than individual application
- The attack was probably intended to access credit card information
- China’s image of a country having lax online security reiterated
- This cyber attack can influence the upcoming Obama-Jinping meet
Even before it could recover from the euphoria generated by the launch of its celebrated iPhone 6S, Apple has been greatly embarrassed by the discovery of a malicious code introduced into a few applications in its App Stores. There is conjecture that some miscreants uploaded several versions of Xcode, a tool used to build iOS applications, on to a Chinese cloud storage service, and this was the root cause for the mischief, which was first discovered by Alibaba, a Chinese e-commerce firm.
Also relevant is the fact that most of the applications affected in this attack were meant for the Chinese market. One of these is WeChat, a competitor of WhatsApp owned by Facebook, which is very popular in China.
Myth of the Impenetrable Apple Store Busted
Until this incident App Stores were considered impenetrable, although experts in the past believed that the iOS was not all that invincible. According to them, damage could still be caused with the help of a sneaky application, which somehow gains lawful entry into the Apple App Store.
Believe it or not, reports indicate that this is exactly how the present attack took place. And mind you, Apple Corporation has been renowned for its high sensitivity to customer needs and for the extremely high standards of security in all its devices, especially the mobile ones. This is the first time it finds itself in discomfiture caused by some rogues in cyberspace who had earlier considered Apple beyond their reach.
The whole episode happened on Chinese shores, where one of the local developers was lured into accepting a malicious code for building an iOS application. It passes comprehension as to how the highly clued up and dedicated quality testers at Apple also slipped up into passing the applications which were infiltrated. It is possible that under pressure to adhere to strict deadlines they stopped with just static testing.
A New Mode of Perpetrating Cyber Attacks
The modus operandus seen in this case is different from what we normally associate with cyber attacks. Instead of targeting individual applications, the aggressors had this time concentrated on a tool that was being used to build applications. This points to the probability that the attack was well-planned, and it was sufficiently sophisticated to hoodwink the cleverest of those in charge of making secure applications.
What was the objective of the intruders? There is one theory that this was motivated by the desire to steal. Most of the iOS applications were the heart and soul of mobile devices, and we are aware that the latter are used for a variety of financial transactions. Once you gain unauthorised entry into a phone, you could secure a relatively easy access to credit card information.
It is this lure of making hordes of money that had possibly driven the criminals concerned. Till now there are no reports of stealing of information from devices. Also there is nothing to suggest that damage caused extended outside China. These are, however, early days to assert that not many outside China have been adversely affected.
Is Absolute Security Achievable?
The incident reveals two facts. If one applications maker can be breached, there are hundreds of others in the business who can similarly be victimised. Criminals do learn quickly from one another. Secondly, the episode brings further odium to China, which has always been a suspect in Western eyes for its lax online security and its unconcealed desire to pry on official websites outside its shores.
And the lurking feeling that the Chinese government is far from innocent is persistent. Many investigations conducted in the past by researchers at a few university centres dedicated to tracing hackers had detected a Chinese hand, that too of elements close to that country’s establishment.
The attack on App Stores has exploded the myth that there is something like 100% cyber security that we can achieve, if only we bring in the best of experts and pour enough money and equipment to safeguard databases. The poor security in some small firms handling information is normally attributed to a reluctance to spend. This belief has also now been set at naught. It has established beyond doubt that even the richer corporations with high investment in security are no less vulnerable in these days of excessive cyber crime.
Wrong Timing for Sino-American Relations
The attack on Apple could not have come at a worse time. It comes on the eve of Chinese Communist Party General Secretary Xi Jinping’s visit to the US. He is to meet President Obama, and cyber security is expected to be part of the agenda of the discussion. In the recent past, President Obama had taken serious note of suspected Chinese involvement in a number of hacking incidents. Whether the US can do anything more than registering a protest is a matter of conjecture.
Finally, the impact of the recent happenings on customer confidence cannot however be exaggerated. Apple has its own huge reputation that could come to its rescue. Also, many experts believe that breaches like these will continue to happen despite any number of precautions. The only test is how quickly such intrusions can be detected and how quickly the fire can be doused, so that the damage is limited. Viewed from this perspective, Apple has been swift and dexterous.
(The writer is a former CBI Director. He is currently security adviser to Tata Consultancy Services Ltd)
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)