Apple Hack Could Delay iOS 7 Beta 4 Release, Slow App Updates

https://www.youtube.com/watch?v=8cU9cPgJ7UU

Apple revealed that a hack is behind the company’s reason to take the Apple Developer portal offline last Thursday. The downtime may push the iOS 7 beta 4 release back. This may not stop iPhone app updates, but could slow down new app releases for some developers.

The Apple Developer portal went offline on Thursday July 18th and remains offline as of Monday July 22nd at 11:30 AM Eastern. After several days of silence Apple issued a statement late Sunday night that outlines what happened and what information the hack may have exposed.

Everyday iPhone and iPad users don’t have anything to worry about, but Apple “developers’ names, mailing addresses, and/or email addresses may have been accessed.” The company is working to bring the portal back online.

https://www.youtube.com/watch?v=8cU9cPgJ7UU

The iOS 7 beta 4 release could see a small delay as Apple recovers from a hack.

While Apple did not announce an iOS 7 beta update schedule, a new iOS 7 beta appeared on a two week cycle for the past two beta releases, leading many to expect the iOS 7 beta 4 release this morning

Apple is currently in the middle of iOS 7 beta testing, and the iOS 7 beta 4 release date was possibly scheduled for today with bug fixes and new features. Until the Apple developer center is back online, it is not likely that Apple will release the iOS 7 beta 4, even though existing users can update over the air.

Web optimizing company Onswipe reports that despite the beta tag, iOS 7 traffic is up compared to iOS 6 traffic over a similar time period last year.  While users are not recommended to install the iOS 7 beta on a daily use device these numbers show the iOS 7 beta is popular with developers and users that paid to get the iOS 7 beta early. Many of these users eagerly wait for the iOS 7 beta 4 which could solve a problem with incoming calls not ringing the iPhone or showing a missed call marker.

https://www.youtube.com/watch?v=8cU9cPgJ7UU

Some iPhone app updates went live this weekend.

Until the iOS Developer portal is back online users may see some slowdowns to app updates and new app releases, but it will not come to a complete stop.

SignMyPad developer Justin Esgar told Gotta Be Mobile, “iTunes connect is still up,” which allows developers to submit new apps and app updates. Over the weekend several app updates appeared online.

While the system is still up to allow for important app fixes, some developers may choose to delay non-critical app updates until the developer portal is back online.

Matt Braun, developer of Mash and SketchParty TV told Gotta Be Mobile the downtime “definitely could” lead to update delays, explaining, “There are certain aspects of the process that can’t happen – device provisioning for beta testing, for instance.”

In this example, a developer trying to fix an issue on a specific device may not be able to add a device to their account to test the software. In a large development shop with plenty of devices this may not be as big of an issue, but for smaller developers it may push app updates back slightly.

It is unlikely that this Apple developer hack will push the fall IOS 7 release date back significantly as internal and external testing can continue and Apple could still release the iOS 7 beta 4 later this week.

Apple Portal Attack Not Malicious, But Developers Still a Target

While the "intruder" who accessed the Apple Developer Center turned out to be just a curious penetration tester, attacks against developer sites can have serious consequences beyond just stealing personal information.

Apple shut down its Mac, iPhone, and iPad developer Website last Thursday, saying it was performing unscheduled maintenance. It provided no other information, and developers grew increasingly worried about the prolonged outage. With the portal down, these developers could not work on new code, check on the status of their existing apps, or manage their accounts.

"Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website," Apple finally told developers via email Sunday evening. While sensitive information was encrypted and was not accessed, the company said "some developers' names, mailing addresses, and/or email addresses may have been accessed."

Not a Malicious Attack?Ibrahim Balic, a London-based penetration tester, took exception to being called an intruder. Companies regularly hire Balic to try to find vulnerabilities in their systems, and he recently decided to take a look at Apple's sites. He found 13 bugs in total, all of which were reported using the online bug reporter, he said. Four hours after his last bug report, the portal was taken down.

"Apple!! This is definitely not an hack attack !! I am not an hacker, I do security research," Ibrahim Balic wrote on Twitter.

Balic said Apple had not responded to his bug reports. "I did not done this research to harm or damage," he said in a comment posted on TechCrunch. He created a YouTube video to show how he had accessed developer information, but took it down after realizing that he hadn't obscured the names and details of the individual developers.

Why Target Developers Anyway?
Balic may not have intended anything malicious during his foray into Apple's servers, but developers are increasingly being targeted. Canonical disclosed that its Ubuntu forums were breached over the weekend. These attacks aren't so different from attacks on any other site. As in previous incidents, these users are now at risk for social engineering attacks such as fake password resets. Attackers may also attempt to log in to other sites with the stolen credentials.

Developer portals are "hubs" with users from many different organizations, said Mike Lloyd, CTO of RedSeal Networks. The attacker may not be interested in the actual data stored on the developer site itself, but rather the login credentials that may work on other sites, Lloyd said. "If you can compromise the account details on a hub site, the odds are good that you now have valid logins for a large number of other companies," Lloyd said.

Earlier this year, an iOS developer forum was compromised and infected employees at Twitter, Facebook, and others with malware. Attackers targeting the Apple developer site could be interested in launching watering hole attacks to target developers at other companies, said Lee Weiner, senior vice-president of products and engineering at Rapid7.

Attackers with stolen Apple developer accounts would be able to upload potentially malicious applications under the compromised developer's name, said Michael Sutton, vice-president of security research at Zscaler.

Since the accounts have the developer's signing certificate for approved apps, there is the danger that attackers may sign malicious apps using the legitimate certificates, said Tommy Chin, technical support engineer at CORE Security. "Fake authenticated apps in the Appstore will appear if Apple doesn't keep the portal down until it's fixed," Chin said.

"The attack comes at a bad time for Apple as it has forced them to take the developer portal offline as developers are preparing applications for iOS 7, slated for release in the fall," Lloyd said.