The chain of trust has long been an important aspect to information security. Every computer and mobile device purchased today is shipped with a pre-defined collection of root CAs (certificate authorities) that act as a trust anchor for every future cryptographic function on that device. Organizations and end-users generally place their trust in the hands of the hardware or operating system manufacturers and spend little time auditing those trust anchors once in place.
The recent XcodeGhost exploits have shown how placing too much trust in your chain of trust can lead to compromises. Numerous stakeholders have different responsibilities in a shared security model. Below is a breakdown of responsible parties in the case of XcodeGhost.
Developers: By disabling Apple’s Gatekeeper validation tool, XcodeGhost’s creators bypassed the Apple’s code-signing system. Checking file hashes is a common method to ensure the validity of software. Developers should also ‘wash’ their apps through security software before submission to app stores.
Apple: Apple has a strict and complicated approval process for every application submitted to their App Stores. What is clear now is that they do not code sign from their compiler to the submission process. Apple’s terms and conditions do not allow for code injection but it’s unclear whether or not they can test for this. Malicious applications may use an A/B method to limit detection during an approval process.
Enterprises: Owing to the above, it is risky to rely on the hardware vendors and developers to deliver secure code 100% of the time. As well as auditing use of non-approved applications (e.g. signed via enterprise certificates), regularly reviewing generic application usage for malicious activity.
Our Secure Mobile Gateway detected that 10% of our customers had at least one device that had an infected iOS application installed. We identified infection across multiple countries and customer verticals, proving this wasn’t limited to only Chinese users and companies. Identification of these applications is best done by identifying and blocking access to the command and control domains. Hackers will continue to work on methods to inject malicious code into applications to ultimately harvest information from their victims.