written by Pierluigi Stella
Talking about the above, the Apple story is indeed surprising in 2 different ways.
First, the hackers changed the libraries for Apple API in such a way that wasn’t possible to distinguish them from the original ones. Then Apple had to miss that these apps were delivering malware, which is unusual given the very strict procedures they undergo before an app is admitted to their store. I (almost) feel like complimenting the hackers for such cleverness.
From a security standpoint, there really isn’t that much to say.
If you’re a developer, and you choose to download the development toolkit from anywhere but the Apple site/store itself, then you should know you’re running a risk. I’d say it’s almost a dead certainty; why would anyone want to host the toolkit on their website? And when ever has Apple authorized such a thing?
The reason (rationale) adduced in the article – downloads from China are slow – is, quite simply put, ludicrous.
If they are on the slow side of things, Apple should set up some local CDN servers to distribute their code locally and reduce the lag; the servers would still be under their strict control. If they haven’t, then this one’s on Apple.
It’s really painful to download anything from a server halfway across the world. The sheer latency from Houston to HK is around 200 milliseconds, making it 10 times higher than a normal latency between 2 sites within the US. I know that the developers should’ve been more careful, but putting myself in their shoes, I can see why they were easily swayed to use the ‘local’ server.
Downloading the toolkit from China shouldn’t be so painful that legitimate companies resort to using local, unknown servers, ending up victims of this hack.