Apple hack exposes flaws in building apps behind "Great Firewall"
By Paul Carsten
BEIJING, Sept 23 (Reuters) - China's "Great Firewall" may have been partly to blame for the first major attack on Apple Inc's App Store, but experts also point the finger at lax security procedures of some big-name Chinese tech firms and how Apple itself supports developers in its second biggest market.
A malicious programme, dubbed XcodeGhost, hit hundreds - possibly thousands - of Apple iOS apps, including products from some of China's most successful tech companies used by hundreds of millions of people.
Palo Alto Networks, the U.S. internet security company that spotted the problem, says the attacker could send commands to infected devices that could be used to steal personal information and, in theory, conduct phishing attacks.
The hackers targeted the App Store via a counterfeit version of Apple's Xcode "toolkit" - the software used to build apps to run on its iOS operating system - which Chinese developers used because they could download it faster.
"I would use the phrase 'convergence of ignorance and complacency'," said Andy Tian, CEO of Asia Innovations, a Chinese app developer. "Ignorance on the side of Apple, complacency on the side of Chinese companies."
The incident was a blow to the reputations of some of China's tech champions, in what some app makers saw as collateral damage from the tight controls Beijing places on the Internet within its borders, and weak infrastructure linking to the outside world, that make overseas downloads patchy and slow.
Companies affected by the XcodeGhost attack included Tencent Holdings Ltd, one of the world's biggest internet firms, and Uber Technologies Inc's biggest challenger, Didi Kuaidi, which just completed a $3 billion private fundraising round.
Tencent, whose WeChat messaging service is one of China's most popular apps, and Didi Kuaidi declined to comment, beyond saying that they had fixed the issue and users' data had not been compromised.
NetEase Inc, whose music streaming app was also hit, issued a mea culpa on its official Weibo microblog, apologising to users for negligence.
"HUGE MISTAKE"
The App Store had previously been almost entirely free of malware, and it is unclear how the altered code withstood Apple's famously tough app approval process, in which developers often wait a week for reviews of updates to their apps.
"These reviews are legendary for how particular Apple is," said Robert Walker, founder of mobile dating app Cuddli who worked for Microsoft in China.
"Supposedly, a security review is part of that. But they missed this repeatedly over dozens of different applications. A huge mistake on their part."