While China’s “Great Firewall” may be partly to blame for the first major attack to Apple’s App Store, experts also point the finger at lax security procedures from several major Chinese tech firms and Apple’s lack of support for developers in the country.
Thousands of Apple iOS apps have potentially been compromised by a malicious program, dubbed “XcodeGhost,” including those from some of China’s biggest tech companies used by hundreds of users, according to a Reuters report on Wednesday.
Palo Alto Networks, the U.S. Web security company that detected the program, said that the attacker could send commands to infected devices that could be used to steal personal information and, in theory, phishing attacks.
The hackers targeted the App Store using a copycat version of Apple’s Xcode toolkit--the software used to build apps to run on the iOS platform--which Chinese developers often used because it was reportedly faster to download.
"I would use the phrase 'convergence of ignorance and complacency,'" Andy Tian, CEO of Chinese app maker Asia Innovations, told Reuters. “Ignorance on the side of Apple, complacency on the side of Chinese companies."
The incident has put some of China’s leading tech firms under intense scrutiny, with what many app developers see as collateral damage caused by tight controls imposed by Beijing on the Internet as well as weak infrastructure linking to the rest of the world, resulting in slow and patchy downloads from overseas networks.
Some of the Chinese companies hit by the XcodeGhost attack include Tencent, one of the world’s biggest Internet firms, and Uber’s biggest rival, Didi Kuaidi, which recently completed a $3-billion private fundraising round.
Both Tencent and Didi Kuaidi declined to comment, saying only that they have resolved the issue and user’s data were not compromised.
It is still unclear how the altered code withstood Apple’s famously strict app approval process, wherein developers would often wait for a week of reviews before updates to their apps could be approved.
"These reviews are legendary for how particular Apple is," said Robert Walker, the developer of mobile dating app Cuddli who worked for Microsoft in China.
"Supposedly, a security review is part of that. But they missed this repeatedly over dozens of different applications. A huge mistake on their part."
Apple did not respond to questions regarding the app approval process and the use of unofficial Xcode by Chinese developers, although a senior executive said on Thursday that the company will make it easier for developers from China to download its tools.
In an interview with Chinese news portal Sina.com, marketing chief Phil Schiller said that Apple will be offering domestic downloads within China of its developer software.
Some Chinese companies had said they were forced to download Apple’s developer toolkit from unofficial sources in China due to slow Internet speeds when connecting to international networks, Reuters said in its report.
The country’s censorship architecture, also known as the “Great Firewall,” does not block app developers from downloading the official version of Xcode, but the controls, coupled with poor infrastructure for international connections, have made using services based outside China a tedious process.
According to online content delivery firm Akamai, China's average Internet speeds are more than three times slower than those in the United States.
The sluggish Internet connection, along with government censorship, has been a major concern among foreign businesses in China. Crackdowns in tools used to bypass the Great Firewall, such as Virtual Private Networks (VPNs), in recent months have further aggravated the issue.
Despite these concerns, China remains a huge market for Apple, which earned around $13 billion in mainland China in the latest financial quarter. The Cupertino, California-based firm also approved 130,000 apps from Chinese developers in Jan. 2014.