Want to earn a cool million? Are you familiar with a security breach at Apple’s app store? I was clued in to these stories from our in-house systems and network manager. A security firm is offering up the million dollar bounty, the largest to date and capped at $3 million, for the successful hack. “Rather than report vulnerabilities in software to the companies that make it to help fix hackable bugs, Vupen develops hacking techniques based on those bugs and typically sells them to multiple government customers,” reports Wired. In a separate report from Wired, there are concerns related to how bugged Chinese apps made their way onto Apple’s app store.
The $1 million bounty:
AS LONG AS hackers have sold their secret hacking techniques known as zero-day exploits to government spies, they’ve generally kept that trade in the shadows. Today it’s come into the spotlight with the biggest bounty ever publicly offered for a single such exploit: $1 million for a technique that can break into an iPhone or iPad running Apple’s freshly released iOS 9.
On Monday, a new security industry firm known as Zerodium announced that it will pay that seven-figure sum to anyone who gives the company a hacking technique that can take over an iOS device remotely, via a web page the victim visits, a vulnerable app on the victim’s device, or by text message. The company says it’s willing to pay the bounty multiple times, though it may cap the payouts at $3 million.
“Due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS,” reads the
statement on Zerodium’s website announcing the bounty. “But don’t be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.”
Bugged Chinese Apps get into Apple’s App store:
THE APPLE ECOSYSTEM is well known for very rarely letting any dodgy apps enter it because of the company’s stringent security checks.
But recently, nearly two dozen malicious pieces of software managed to get hosted on the App Store, and subsequently downloaded by Chinese users. This is because attackers found an unorthodox route to exploit: they targeted some versions of the software used by developers to makes apps for iOS and OS X in the first place.
The malware was first highlighted by Chinese developers on Weibo, and was then analyzed by researchers from Alibaba. Security company Palo Alto Networks then verified the results.
The hack all hinges around Xcode, a tool used to create iOS and OS X apps. Typically, Xcode is downloaded directly from Apple for free. However, it is possible to get Xcode from other sources too, such as developer forums. Some versions of Xcode found on Baidu Yunpan, a Chinese file-sharing service, come packaged with extra lines of code. The Alibaba researchers have dubbed these malicious variants “XcodeGhost.”