Apple, which once touted its hardware as invulnerable to hacks, may have become tech's biggest security threat. Several security breaches in iOS show just how big the problem is.
The first one came to light last week, when the security firm Palo Alto Network said that 39 iOS apps which have been used by hundreds of millions of users were infected with XcodeGhost malware.
In fact, the problem is much, much larger than that. Security company FireEye has so far found an astonishing 4,000 apps in the App Store infected with the malware.
The malware can steal passwords, hijack URLs and inject additional malware into an iOS device, and read and write data from a user's clipboard. It can potentially do more as well, including stealing iCloud passwords.
Palo Alto Networks says this about the malware:
We believe XcodeGhost is a very harmful and dangerous malware that has bypassed Apple's code review and made unprecedented attacks on the iOS ecosystem. The techniques used in this attack could be adopted by criminal and espionage focused groups to gain access to iOS devices.
The malware got onto iOS apps because a counterfeit version of Xcode (Apple's programming tool for creating iOS apps) was infected with it, then uploaded to Baidu's file sharing service. Developers who used that version of Xcode unwittingly put the malware into iOS apps they wrote.
Apple likes to tell the world about how thoroughly it vets all apps before they're allowed into the App Store, including for malware. Yet so far 4,000 infected apps and counting have made their way in.
Since then, a major security flaw has been found in iOS 9 -- anyone can get past a lock screen on iOS 9 or the just-released iOS 9.0.1 and get private data, including photos and contacts. Doing it is extremely easy. Type in an incorrect PIN on an iOS 9 device four times, and then on the fifth time, enter three numbers, then hold down the home button as you enter the fourth. That brings up Siri, even though you've never entered the correct PIN. You can then use Siri to get access to photos and contacts.
How much should you trust Apple when it comes to security? These days, as these security holes show, I'd say not at all.
By the way, if you want advice on how to keep yourself safe from XcodeGhost, check out my blog post, How to protect yourself against the XcodeGhost iOS malware.