After China malware infiltration, Apple helps developers ensure their Xcode install is legitimate

Posted:
in iPhone edited September 2015
Apple on Tuesday issued a notice to developers, informing them how they can make sure their copy of Xcode is legitimate --?a precaution necessitated by the appearance of malware on the iOS App Store in China.




Those malicious apps were built with a counterfeit version of Xcode, which developers may have been prompted to download from outside sources because of Internet speed and connectivity issues in China. As a result, Apple instructed developers to download Xcode directly from the Mac App Store or from its developer website, and to leave Gatekeeper enabled on all of their systems to protect against tampered software.

Developers can verify their copy of Xcode is legitimate by opening terminal on a Gatekeeper-enabled system and typing the following:
spctl --assess --verbose /Applications/Xcode.app
In the example above, /Applications/ should be the directory where Xcode is installed. The tool can take a few minutes to complete, but if a user has a legitimate copy of Xcode installed from the Mac App Store, it will return the following:
/Applications/Xcode.app: accepted
source=Mac App Store
And for legitimate copies of Xcode downloaded from Apple's developer website, the tool will return either of the following responses:
/Applications/Xcode.app: accepted
source=Apple

/Applications/Xcode.app: accepted
source=Apple System
If the returned result says anything other than "accepted," or the source reads anything other than "Mac App Store," "Apple System" or "Apple," then the application signature is not valid for that copy of Xcode.

Developers who are not running a legitimate copy of Xcode are advised to download a clean copy from the Mac App Store or Apple's developer site, and to recompile their applications before submitting them for review.

Apple confirmed on Sunday that modified versions of Xcode were used to successfully infiltrate malware into the iOS App Store. In all, about 40 infected apps made it through, including WeChat and ridesharing service Didi Kuaidi.

The malicious copies of Xcode were hosted on cloud storage run by China's Baidu, and those copies have since been removed. Developers running a modified version of Xcode would have needed to disable Apple's Gatekeeper security feature in order to run the software.

Chinese developers turn to alternative download sources hosted on local servers, because downloads from Apple's own servers can be very slow within the country.
«1

Comments

  • Reply 1 of 25
    rayzrayz Posts: 814member

    I was hoping they'd find a way of detecting applications that weren't built with a legit copy of Xcode. 

  • Reply 2 of 25
    rayz wrote: »
    I was hoping they'd find a way of detecting applications that weren't built with a legit copy of Xcode. 

    The best way to detect that is to scan the binary for malware, effectively Apple has to use a 'virus' scanner when accepting an app.

    We all know that that's as effective as taking a flu shot (although it is effective as a base income for the pharmaceutical industry) and makes all new cases undetectable.
  • Reply 3 of 25
    The correct command is:

    $ spctl --assess --verbose /Applications/Xcode.app

    See https://developer.apple.com/news/?id=09222015a
  • Reply 4 of 25
    sounds to me like it's a case of either laziness or intentionally using a compromised version of Xcode. how difficult is it to go to either the app store or apple developer website and download it?
  • Reply 5 of 25
    This should've been included in this story:
    https://support.apple.com/en-us/HT202491
  • Reply 6 of 25
    Another way to do this is to disable sideloading for OS X, effectively make it iOS.
    Maybe Apple will release a version of Xcode for iOS now?
    The only pitfall at this moment is the yailbreak community; maybe declare that illegal?

    Come to think of it, Apple could start another huge cloud service and offer an online build system, you only have to submit your sources - encrypted of course, Apple cannot touch them - and render most CPU power useless like most other cloud services.
  • Reply 7 of 25
    mac_dog wrote: »
    sounds to me like it's a case of either laziness or intentionally using a compromised version of Xcode. how difficult is it to go to either the app store or apple developer website and download it?

    As intrusive as the Chinese government is with their citizens, I don't believe for a second that they had no knowledge of this beforehand.
  • Reply 8 of 25
    Quote:

    Originally Posted by AppleInsider View Post



    Apple confirmed on Sunday that modified versions of Xcode were used to successfully infiltrate malware into the iOS App Store. In all, about 40 infected apps made it through, including WeChat and ridesharing service Didi Kuaidi.

    According to some estimates the number of infected apps is 3,418.

     

    Not sure how valid that number is but it's at least worth considering more than 40 have been infected.

     

    http://researchcenter.paloaltonetworks.com/2015/09/more-details-on-the-xcodeghost-malware-and-affected-ios-apps/

  • Reply 9 of 25
    cnocbuicnocbui Posts: 3,613member
    Quote:
    Originally Posted by knowitall View Post



    Another way to do this is to disable sideloading for OS X, effectively make it iOS.

    Maybe Apple will release a version of Xcode for iOS now?

    The only pitfall at this moment is the yailbreak community; maybe declare that illegal?



    Come to think of it, Apple could start another huge cloud service and offer an online build system, you only have to submit your sources - encrypted of course, Apple cannot touch them - and render most CPU power useless like most other cloud services.



    Words fail me.

     

    Maybe Apple should just pull out of China in every sense.  Looks like Google's approach was far sighted and was the right course to take.

  • Reply 10 of 25
    We've had the internal tools to detect legitimate copies of binaries since NeXTSTEP.
  • Reply 11 of 25
    This article describes the wrong syntax for the spctl command!!!
    The correct Terminal command should be (notice the double minus signs):
    spctl --assess --verbose /Applications/Xcode.app
  • Reply 12 of 25
    mstonemstone Posts: 11,510member

    I still have no idea how they were able to decompile or reverse engineer such a huge application. Perhaps they were able to find some resource folder that they could swap out some identically named files with added functionality. Anybody heard how the hack was done?

  • Reply 13 of 25
    Quote:

    Originally Posted by mstone View Post

     

    I still have no idea how they were able to decompile or reverse engineer such a huge application. Perhaps they were able to find some resource folder that they could swap out some identically named files with added functionality. Anybody heard how the hack was done?




    Ask the hacking unit for the Chinese military.

  • Reply 14 of 25
    jony0jony0 Posts: 269member

    Why would any honest developper get Xcode anywhere else but from the Mac App Store or Apple.com ?

    I think every hacked copy of Xcode was downloaded knowingly and with ill intent and that this was Apple's politically correct way of warning those so-called 'developers' using such a copy that Apple are looking at them. Perhaps next time Apple will simply and rightfully revoke their license and keep those credentials close at hand.

  • Reply 15 of 25
    sphericspheric Posts: 1,730member

    Because China's internet access is incredibly slow (3.7 Mbit average) and then crippled by the Great Firewall, which pipes ALL international traffic through only THREE portals, where it is analyzed and filtered, further slowing it down. 

     

    If you're a huge developer, with hundreds of apps in the store, waiting for a multi-gigabyte download from overseas will completely halt your entire workforce for DAYS. 

     

    So you download off a local server, instead. 

     

    Or at least, you used to, until this happened.

     

    Source: http://qz.com/506582/chinas-awful-internet-speed-has-spread-malware-to-millions-of-smartphones/

  • Reply 16 of 25
    jony0 wrote: »
    Why would any honest developper get Xcode anywhere else but from the Mac App Store or Apple.com ?
    I think every hacked copy of Xcode was downloaded knowingly and with ill intent and that th<span style="line-height:1.4em;">is was Apple's politically correct way of warning those so-called 'developers' using such a copy that Apple are looking at them. Perhaps next time Apple will simply and rightfully revoke their license and keep those credentials close at hand.</span>
    . Perhaps it's time for the West to build an electronic/digital wall around China and Russia to stop these main sources of viruses, trojans and malware of all types. It's time to stop allowing these illegitimate countries from participating with normal Western countries. I see nothing of benefit or interest to me on any Chinese or Russian web sites. I do see news about Chinese theft of American trade and other secrets. I do read about threat after threat coming from these two countries. Isolate the scourge while it's still possible.
  • Reply 17 of 25
    sphericspheric Posts: 1,730member

    We've known since Snowden that the United States are all about stealing trade and other secrets from their supposed allies, too. 

     

    It's all par for the course in international politics. You're not exceptional, and neither is China, except that China is actually more or less successfully isolating itself from outside influences. 

     

    In other words, what's getting Americans' gall is that China isn't as open to the same kind of attacks that the U.S. would like to perpetrate, and in fact, are perpetrating on most other industrial nations, including all the ones they're "friends" with.

  • Reply 18 of 25
    Quote:

    Originally Posted by spheric View Post

     

    We've known since Snowden that the United States are all about stealing trade and other secrets from their supposed allies, too. 

     

    It's all par for the course in international politics. You're not exceptional, and neither is China, except that China is actually more or less successfully isolating itself from outside influences. 

     

    In other words, what's getting Americans' gall is that China isn't as open to the same kind of attacks that the U.S. would like to perpetrate, and in fact, are perpetrating on most other industrial nations, including all the ones they're "friends" with.


     

    China industry has shit to steal, so off course they're not a target...

     

    The west would hit mostly millitary and governmental installations rather than industry one; and If you think that Chinese hacker are better than the west, you are kidding yourself. China would simply not admit to any hacking unless it has too; it would be losing face to do so.

     

    The Us probably spends 10 times more on cyber warfare than any one else in the world, including China.

     

    In this case, this was aimed more at Chinese people than people outside; so do you respect the fact China likes to f*up their own people? YEah.. So, much greatness there.

  • Reply 19 of 25
    Quote:

    Originally Posted by spheric View Post

     

    Because China's internet access is incredibly slow (3.7 Mbit average) and then crippled by the Great Firewall, which pipes ALL international traffic through only THREE portals, where it is analyzed and filtered, further slowing it down. 

     

    If you're a huge developer, with hundreds of apps in the store, waiting for a multi-gigabyte download from overseas will completely halt your entire workforce for DAYS. 

     

    So you download off a local server, instead. 

     

    Or at least, you used to, until this happened.

     

    Source: http://qz.com/506582/chinas-awful-internet-speed-has-spread-malware-to-millions-of-smartphones/


     

    Really, this huge Chinese devellopper has no speedy Internal network, something US companies had 35 years ago... And every single node of this internal network is connected at the same speed to the outside world, even the ones in Hong Kong... Seems not likely at all for a big devellopper. If that's the case they should whoever's the CIO or CTO of this crap house should retire right now because they're not worthy of the title.

  • Reply 20 of 25
    One has to wonder what the code review process is doing to miss stuff like this at such a scale so far. Somethings broken.
Sign In or Register to comment.