Apple to officially host Xcode on Chinese servers in wake of malware issue
Downloads of Xcode should become faster for Chinese developers after Apple begins hosting its development software on local servers within the country, the company revealed in an interview with local media this week.
Apple marketing chief Phil Schiller spoke with Sina and explained that while Xcode takes developers about 25 minutes to download in the U.S., that same install can take up to three times as long for those in China. Apple hopes to address the issue by having an official copy of the software available to download on Chinese servers.
Apple also announced in a FAQ on its website this week that it will "soon" publish a list of the 25 most popular apps affected by the so-called "XcodeGhost" issue. Apple says that outside of the top 25 apps, the number of users affected by the exploit "drops significantly."
The company also published details on how developers can ensure their copy of Xcode is legitimate. Developers are advised to download Xcode through the Mac App Store or from its developer website, and to leave Gatekeeper enabled on all of their Macs to protect against tampered software.
Slow download speeds in China led developers to turn to alternative sources, where they unknowingly obtained modified versions of Apple's developer suite, Xcode. This counterfeit software led developers to build malicious apps unbeknownst to them or even Apple, who allowed the software onto its iOS App Store.
In all, about 40 infected apps are thus far confirmed to have made it through, including popular downloads like WeChat and ridesharing service Didi Kuaidi.
The malicious copies of Xcode were hosted on cloud storage run by China's Baidu, and those copies have since been removed. Developers running a modified version of Xcode would have needed to disable Apple's Gatekeeper security feature in order to run the software.
Apple marketing chief Phil Schiller spoke with Sina and explained that while Xcode takes developers about 25 minutes to download in the U.S., that same install can take up to three times as long for those in China. Apple hopes to address the issue by having an official copy of the software available to download on Chinese servers.
Apple also announced in a FAQ on its website this week that it will "soon" publish a list of the 25 most popular apps affected by the so-called "XcodeGhost" issue. Apple says that outside of the top 25 apps, the number of users affected by the exploit "drops significantly."
The company also published details on how developers can ensure their copy of Xcode is legitimate. Developers are advised to download Xcode through the Mac App Store or from its developer website, and to leave Gatekeeper enabled on all of their Macs to protect against tampered software.
Slow download speeds in China led developers to turn to alternative sources, where they unknowingly obtained modified versions of Apple's developer suite, Xcode. This counterfeit software led developers to build malicious apps unbeknownst to them or even Apple, who allowed the software onto its iOS App Store.
In all, about 40 infected apps are thus far confirmed to have made it through, including popular downloads like WeChat and ridesharing service Didi Kuaidi.
The malicious copies of Xcode were hosted on cloud storage run by China's Baidu, and those copies have since been removed. Developers running a modified version of Xcode would have needed to disable Apple's Gatekeeper security feature in order to run the software.
Comments
Now, what about implementing a safeguard that completely avoids submitting apps from non genuine Xcode versions?
I remain stupefied that nearly everyone is blaming Apple totally and giving the lazy developers who downloaded a pirated copy of Xcode a pass. What were they thinking? I thought developers were tech savvy and security conscious.
That's a good step.
Now, what about implementing a safeguard that completely avoids submitting apps from non genuine Xcode versions?
And you know exactly how to do that, right? It’s simple, right? Apple engineers are incompetent, right? Any third grader could do it, right? By the way, how many affected apps did you find on your iOS device?
That's a good step.
Now, what about implementing a safeguard that completely avoids submitting apps from non genuine Xcode versions?
That and how about issuing a warning to developers if they do something stupid like that again they will be banned from the app store.
-kpluck
Anyone who has ever been to China will clearly see that theft and deception are culturally ingrained and expected.
Also, it makes one wonder why the developer software was not previously hosted by Apple. Probably due to either hacking concerns or Chinese government spy infiltration or theft of code concerns.
Don't be an idiot (this may be an impossible request, I realize). You obviously have no personal experience in this matter.
Why so aggressive? I didn't make either of those claims. No, I'm do t know how to do that. But then again I don't give out a developer environment to everyone, including idiots or criminals. A curated App Store and Xcode does imply responsibility, don't you think? And I'm not saying Apple is not assuming theirs. I'm saying it would be good to eliminate such kind of thing in the future, as you cannot eliminate stupidity or criminal intent.
Maybe something with checksums at Xcode launch or encoded into the created app.
Btw, I found one. CamCard. I suppose you're not implying that I'm only entitled to an opinion if I'm directly affected, do you?
Make your case. Defend your claim.
There is one thing the Chinese do know how to do and that is beauracracy!
You are presumably referring to the Chinese "patent office" and not the Sicherheitspolizei..?
Also "lackey" sounds condescending and could be interpreted as casually racist, FYI.
My experience starts back to the late 90s and extended into our present era. I've had plenty of exposure to the kind of "acceptable cheating" and skullduggery associated with doing business in China and it's not always pretty.
Btw, I found one. CamCard. I suppose you're not implying that I'm only entitled to an opinion if I'm directly affected, do you?
So you downloaded it from the Chinese App Store? It’s still available in the U.S. store. How do you know your copy is infected?
As for lackey being casually racist, only if being employed by the government is a "race" could that ever be considered racist. Condescending definitely.
The only way I can see that working is for Apple to issue a checksum that can be matched again the downloaded version of Xcode, but the developer would still need to manually do it, and I doubt many do. I would say most just accept even an unknown app is legit if a checksum is proffered. Plus, the checksum could help if their gov't decides to play the same game with this now-locally hosted version of Xcode with either injected code into apps or simply spying on the developers themselves. Note: This goes for all nations and all developers, not just in China.
This is the first time I've seen Apple get any blame here. Every article I read was wonder why anyone would use an unofficial site to grab Xcode. Now 'I' know, which 'I' think puts some of the responsibility on Apple (not the same as blame) that their Chinese download of this 3.6(?) GiB apps took so long to download due to having no local host servers available.
Anyway, having been in the South of China mainland many times, I can say that the internet works well there for Chinese hosted sites, but step outside that to American or European sites and it is tediously slow, I suspect the great firewall of China deliberately makes it that way. Facebook wasn't blocked where I went last but it was so slow it took almost an hour to see the first part of my wall. So, trying to download XCODE from the official Apple site once you're officially paid up as a developer might present them with a download that's going to take many days. So I can see how someone offering a local FAST download would be appealing. Sod all to do with theft or deception.
I've not been to Taiwan, Hong Kong, or Macau, but I hear their internet isn't so bad. I'm presuming this article is referring to mainland China and it makes sense to me why a pucker developer would download from elsewhere. Good on Apple for recognising the issue and hosting locally instead!
Frequent visits to companies, universities and far too many government lackeys. Dealing with SIPO since 2007.
There is one thing the Chinese do know how to do and that is beauracracy!
You're obviously white, or not Asian. Well known that the Chinese, both in Mainland China and overseas, treat non-Asian and Asians very differently. The worst case is an ABC dealing with mainland China, you're seen as a traitor, maybe not to your face but definitely behind your back.
Not only in business, this is the official position of the government as well. If you find yourself in trouble, you may be denied consulate access, because they say you're of Chinese descent. Well known issue especially pre-1997.
and casual racism is ingrained in others
Clearly haven't spent much time there trying to source products or shopping in a major city. Handbags are a good example as they generally fall into 3 categories.
Clearly Counterfeit- Obvious who they were trying to copy/rip-off, but you know it's not real. Cheap materials and quality. Will eventually be sold on the sidewalk of a western city.
Good Counterfeits - Only an expert could tell they were fakes at first glance. Someone will try to pass these off as the real thing.
The Real Thing. - Stolen from the factory, sometimes rejected by a quality team they make their way out the door rather than to the dumpster. Sometimes just stolen.
You go into a store and you can find all three examples of the same item.
Same with electronics. Much as you not want to say it, it is a fact of life and part of the culture.