I received an email from Bitdefender’s Australian PR company offering comment on the XcodeGhost malware incident from that seems to have been primarily aimed at Chinese iOS App Store users, and wrote back with a few questions of my own, asking for additional comment.
Bitdefender’s Senior E-Threat Analyst, Bogdan Botezatu, is the person in question making the comments, which started off by noting that “the XCode Ghost infection is the first large-scale incident to ever make it through the Apple walled garden.
“Human error (the developers running tools downloaded from third parties), paired with lack of proactive countermeasures (in-depth review upon approval and advanced anti-malware on users’ terminals) have exposed a significant number of iOS users to malware.
“For years, Apple users have dismissed the idea of third-party security solutions, claiming that the iOS ecosystem was so well designed that they are practically immune to threats. However, iOS has become the second largest mobile operating system in the world and hackers are constantly improving their tactics to get to those 40% of iOS users,” continued Botezatu.
The comments were presumably sent so journalists could insert it into any story they might be writing on the XcodeGhost event, but I decided to write back and ask some extra questions so I could write a fuller story on Bitdefender’s views on the topic.
Now, you’ll probably expect an Internet Security company is going to want to be able to offer a version of the anti-malware/security suite that would be offered on Android, for example, and to be sure, a variant of that was my very first question.
Q1. Is Bitdefender calling on Apple to explicitly allow third-party security solutions?
Botezatu responded that, “For years, Apple has strongly communicated that, unlike other platforms, Mac OS X and iOS are secure by default and users should not be concerned with running third-party security.
“The recent attacks against both OS X and iOS have proven that built-in security countermeasures, although effective to some extent, are not perfect by themselves. Adding an extra layer of anti-malware technologies will definitely improve the security of the user.”
Q2. Is Bitdefender calling for Apple to make an announcement on how it will dramatically improve its proactive countermeasures?
Here Botezatu replied that “Apple has had a great screening program for applications submitted to the App Store in the past.
“These applications had been reviewed by human operators, but potentially dangerous code such as XcodeGhost still snuck into the Store. It would definitely be interesting to see how Apple is going to improve the screening process given that they already had one of the best review processes in the world.”
Q3. Is Bitdefender calling for Apple to make a further, more detailed statement about the malware incursion beyond the simple statement it has already made saying it has removed affected apps?
Botezatu stated: “Yes, we would have expected a comment related to the number of devices that have been affected by the incident.”
The question was put to Botezatu before Apple’s Senior VP of Worldwide Marketing granted a Chinese news site called SINA an interview on the topic, although the article was published in Chinese.
iTWire’s write-up on Schiller’s statements is here, but aside from Apple’s initial short statement, and Schiller's interview with SINA, I still think it would still be useful for Apple to say something more on the topic - but that's just my personal view.
Q4. Is Bitdefender calling on Apple to fix bugs and security issues at a much faster pace than it has been doing?
Here Botezatu said that: “With minor exceptions (such as the failed Rootpipe exploit patch), Apple has done a good job in patching vulnerabilities in the past.
“What I would personally like to see is more openness towards third-party security vendors, so when an incident the size of XCodeGhost occurs, the security community is prepare to intervene with tools and fixes.
“However, with the release of iOS 9, Apple seems to go in the opposite direction – rudimentary anti-malware products designed for iOS are now unable to access processes currently being run on other apps, so they lose even the little visibility they had on what is happening on the terminal.”
Q5. Finally, can you please send any links to iOS security issues that Bitdefender has written about?
Botezatu sent the following PDF link to its ‘Mobile Operating System Wars – Android vs. iOS Study.’