While recently cleaning up its iOS App Store to remove malicious iPhone and iPad programs, Apple identified the first large-scale app attacks on the mobile software outlet. Apparently the source of the problem was a bogus Xcode development kit that developers downloaded from a Chinese site.
Many app and Mac developers use the Apple Xcode tools to develop iOS and OS X applications. The hackers convinced developers to use its version of the Xcode tools rather than Apple's official software. One theory is that Apple's servers are slow to download from inside China, so developers used this alternative mirror download for convenience and speed. This is fairly common for downloading software, but the developers were unaware that the tools were fake.
Cyber attacks typically target network weaknesses, causing organizations to protect themselves with firewalls, data loss prevention measures, intrusion prevention systems, and similar tools, but more recent attacks have targeted weaknesses in the software that organizations develop and use. It's difficult to stop malware-related attacks after software has been developed.
Hackers are realizing that if they can get a developer to embed malicious code into an application, it's easier to carry out app attacks. If the malicious code is in an app that might be downloaded by millions of users, the potential for damage is considerable.
Defensive measures
The attack on Apple's iOS App Store by rogue code embedded in apps could've been prevented by using a semantic-based static analysis tool. These cyber attacks target weaknesses in software, and these tools let you virtually eliminate them by quickly detecting all security vulnerabilities in the source code. An accurate analysis is useless if it doesn't deliver a reliable and swift solution. These bugs need to be stopped in real time.
Even with millions of lines of code to analyze, these tools can shorten analysis to one hour. Semantic-based static analysis tools evaluate all execution paths of the program to locate bugs, violations on coding conventions, security holes, runtime errors, and more at the early stages of software development. They can check the quality of code and detect security vulnerabilities in C, C++, Java, HTML, and SQL, among other programming languages. A few examples of security checks include memory leaks, hard-coded passwords, buffer overflow, cross-site scripting, information leakage, TOCTOU (time of check time of use) race condition, and SQL injection.
An integrated, web-based management system allows a developer to upload code to test or connect to an existing IDE for analysis. The robust analysis engine will analyze program execution flow and meaning, identify software vulnerabilities, and remediate code using automated code suggestions. An efficient alarm system provides a detailed explanation of error types, paths, functions, and the locations and causes of alarms. This simplifies the process of software development and enables numerous people to work on one or more projects simultaneously.
App attacks: The next frontier for hackers
As businesses and consumers rely more heavily on apps, which store both personal and corporate information, they become a more attractive, data-rich target for hackers. For this reason, software vulnerabilities in apps are the next frontier for hackers and anyone intent on stealing information. Stopping the malware and other bugs before the apps are compiled and distributed is the best way to stop these attacks, and a semantic-based source code tool is an efficient way to do so.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
