The XcodeGhost malware attack that allegedly affected 128 million iOS users is an excellent illustration of the kind of sophisticated attack all users should get ready to defend against as platforms become inherently more secure.

XcodeGhost was an intelligent exploit that presented itself as a malware-infested copy of Xcode made available via websites targeting Chinese developers. Developers in the region downloaded it because it was easier to get than the real code because local networks wereunreliable.

Software built using these copies of Xcode was injected with malware, but at such a low level and so far behind Apple’s perimeter level of trust that many subverted apps made it past the App Store review process. And so the  infection wormed its way into more than 4,000 apps, and onto the devices of millions of users.

Previously confidential internal Apple emails revealed in a recent court case suggested that roughly 128 million customers wound up being affected.

More recently, we saw a similar attempt to seed developers with subverted versions of Xcode called XcodeSpy. And last year, we saw an attempt to infect the Apple ecosystem using GitHub repositories as vessels for bandit code.

There have also been attempts to exploit iOS vulnerabilities to stage man-in-the-middle attacks in which hackers hijack communications between managed iOS devices and MDM solutions.

Why do hackers go to such trouble developing these complex attacks? For the money, they know that Apple’s devices are seeing growing use across the world’s most profitable enterprises.

Trend Micro warns: “Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse.”

When most of the Fortune 500 firms use Macs, iPads, and iPhones, it’s no surprise hackers are paying attention to the platforms. (They are just as likely to seek out vulnerabilities in IoT devices, Wi-Fi, and broadband provisions, and will always seek out those forgotten Windows servers in dusty backrooms.

During the pandemic, we’ve also seen increasing attempts to exploit vulnerabilities, with phishing and ransomware exploits on the increase. Developing hacks at this level of sophistication is expensive, which is why most successful attacks appear to emanate from nation states and highly organized gangs.

These groups are already using the same security tools your company is likely to use – if only to identify and exploit vulnerabilities within them, or (in the case of XcodeGhost and derivatives), build them in.

The truism in security preparedness today is that you don’t think about if your security will be subverted – you accept that it probably will be. Instead, you think about what to do when your security is undermined.

[Also read: 12 security tips for the ‘work from home’ enterprise]

That means putting plans in place to protect systems during and after an attack, ensuring staff are security aware, and making certain you develop a workplace culture supportive enough that employees aren’t fearful of coming forward if an action they take puts the system at risk.

Does the sheer number of people affected by XcodeGhost reveal an Apple security problem? Not really, because it’s a given that attempts against its platforms will be constant — and within that context some will make it through. And, of course, Apple responded swiftly once the problem was identified.

That’s the right approach. We know attacks will happen and must have mitigation in place when they do. One of Apple's best ways to inhibit such attacks is to manage distribution via the App Store. It isn't perfect, but it works most of the time.

We know standard perimeter security models no longer work. We know security incidents will happen, meaning  good practice is to make it hard for those events to take place and to act decisively when they do. 

Perhaps Apple was irresponsible for not revealing the number of people affected by the attack? I don’t think so because Apple cleared this mess up.

It is important to note that in this case the exploit wasn’t really used for anything more malicious than device fingerprinting – though this could have chilling repercussions in China.

So, what’s the lesson here? Attacks are becoming more sophisticated, more targeted, and more dangerous as a result. They are also becoming more expensive, which means most people are unlikely to be attacked – but if you are an enterprise, an NGO, or a dissident voice, you should be concerned.

Here are a few steps you should always take to harden device security:

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.