Apple to officially host Xcode on Chinese servers in wake of malware issue

Posted:
in General Discussion edited February 2020
Downloads of Xcode should become faster for Chinese developers after Apple begins hosting its development software on local servers within the country, the company revealed in an interview with local media this week.




Apple marketing chief Phil Schiller spoke with Sina and explained that while Xcode takes developers about 25 minutes to download in the U.S., that same install can take up to three times as long for those in China. Apple hopes to address the issue by having an official copy of the software available to download on Chinese servers.

Apple also announced in a FAQ on its website this week that it will "soon" publish a list of the 25 most popular apps affected by the so-called "XcodeGhost" issue. Apple says that outside of the top 25 apps, the number of users affected by the exploit "drops significantly."

The company also published details on how developers can ensure their copy of Xcode is legitimate. Developers are advised to download Xcode through the Mac App Store or from its developer website, and to leave Gatekeeper enabled on all of their Macs to protect against tampered software.

Slow download speeds in China led developers to turn to alternative sources, where they unknowingly obtained modified versions of Apple's developer suite, Xcode. This counterfeit software led developers to build malicious apps unbeknownst to them or even Apple, who allowed the software onto its iOS App Store.

In all, about 40 infected apps are thus far confirmed to have made it through, including popular downloads like WeChat and ridesharing service Didi Kuaidi.

The malicious copies of Xcode were hosted on cloud storage run by China's Baidu, and those copies have since been removed. Developers running a modified version of Xcode would have needed to disable Apple's Gatekeeper security feature in order to run the software.
«1

Comments

  • Reply 1 of 35
    That's a good step.
    Now, what about implementing a safeguard that completely avoids submitting apps from non genuine Xcode versions?
  • Reply 2 of 35
    lkrupplkrupp Posts: 10,557member

    I remain stupefied that nearly everyone is blaming Apple totally and giving the lazy developers who downloaded a pirated copy of Xcode a pass. What were they thinking? I thought developers were tech savvy and security conscious.

  • Reply 3 of 35
    lkrupplkrupp Posts: 10,557member
    Quote:

    Originally Posted by WonkoTheSane View Post



    That's a good step.

    Now, what about implementing a safeguard that completely avoids submitting apps from non genuine Xcode versions?



    And you know exactly how to do that, right? It’s simple, right? Apple engineers are incompetent, right? Any third grader could do it, right? By the way, how many affected apps did you find on your iOS device?

  • Reply 4 of 35
    Quote:
    Originally Posted by WonkoTheSane View Post



    That's a good step.

    Now, what about implementing a safeguard that completely avoids submitting apps from non genuine Xcode versions?

    That and how about issuing a warning to developers if they do something stupid like that again they will be banned from the app store.

     

    -kpluck

  • Reply 5 of 35
    lkrupp wrote: »
    I remain stupefied that nearly everyone is blaming Apple totally and giving the lazy developers who downloaded a pirated copy of Xcode a pass. What were they thinking? I thought developers were tech savvy and security conscious.

    Anyone who has ever been to China will clearly see that theft and deception are culturally ingrained and expected.

    Also, it makes one wonder why the developer software was not previously hosted by Apple. Probably due to either hacking concerns or Chinese government spy infiltration or theft of code concerns.
  • Reply 6 of 35
    Anyone who has ever been to China will clearly see that theft and deception are culturally ingrained and expected.

    Also, it makes one wonder why the developer software was not previously hosted by Apple. Probably due to either hacking concerns or infiltration or theft of code concerns.
    and casual racism is ingrained in others
  • Reply 7 of 35
    and casual racism is ingrained in others

    Don't be an idiot (this may be an impossible request, I realize). You obviously have no personal experience in this matter.
  • Reply 8 of 35
    Don't be an idiot (this may be an impossible request, I realize). You obviously have no personal experience in this matter.
    in casual racism, I try and leave that to others. As for China I probably have more experience than most here and in the realm of IP I am probably one of the most experienced
  • Reply 9 of 35
    lkrupp wrote: »

    And you know exactly how to do that, right? It’s simple, right? Apple engineers are incompetent, right? Any third grader could do it, right? By the way, how many affected apps did you find on your iOS device?

    Why so aggressive? I didn't make either of those claims. No, I'm do t know how to do that. But then again I don't give out a developer environment to everyone, including idiots or criminals. A curated App Store and Xcode does imply responsibility, don't you think? And I'm not saying Apple is not assuming theirs. I'm saying it would be good to eliminate such kind of thing in the future, as you cannot eliminate stupidity or criminal intent.

    Maybe something with checksums at Xcode launch or encoded into the created app.

    Btw, I found one. CamCard. I suppose you're not implying that I'm only entitled to an opinion if I'm directly affected, do you?
  • Reply 10 of 35
    in casual racism, I try and leave that to others. As for China I probably have more experience than most here and in the realm of IP I am probably one of the most experienced

    Make your case. Defend your claim.
  • Reply 11 of 35
    Make your case. Defend your claim.
    Frequent visits to companies, universities and far too many government lackeys. Dealing with SIPO since 2007.
    There is one thing the Chinese do know how to do and that is beauracracy!
  • Reply 12 of 35
    Frequent visits to companies, universities and far too many government lackeys. Dealing with SIPO since 2007.
    There is one thing the Chinese do know how to do and that is beauracracy!

    You are presumably referring to the Chinese "patent office" and not the Sicherheitspolizei..?

    Also "lackey" sounds condescending and could be interpreted as casually racist, FYI.

    My experience starts back to the late 90s and extended into our present era. I've had plenty of exposure to the kind of "acceptable cheating" and skullduggery associated with doing business in China and it's not always pretty.
  • Reply 13 of 35
    lkrupplkrupp Posts: 10,557member
    Quote:
    Originally Posted by WonkoTheSane View Post



    Btw, I found one. CamCard. I suppose you're not implying that I'm only entitled to an opinion if I'm directly affected, do you?

     

    So you downloaded it from the Chinese App Store? It’s still available in the U.S. store. How do you know your copy is infected?

  • Reply 14 of 35
    You are presumably referring to the Chinese "patent office" and not the Sicherheitspolizei..?

    Also "lackey" sounds condescending and could be interpreted as casually racist, FYI.
    Definitely the patent office lol.
    As for lackey being casually racist, only if being employed by the government is a "race" could that ever be considered racist. Condescending definitely.
  • Reply 15 of 35
    Yes because in an article about China we would be talking about German police force. Also, gotta love the defense of people posting racist remarks: call other people's remarks, that are not, racist.
  • Reply 16 of 35
    Now, what about implementing a safeguard that completely avoids submitting apps from non genuine Xcode versions

    The only way I can see that working is for Apple to issue a checksum that can be matched again the downloaded version of Xcode, but the developer would still need to manually do it, and I doubt many do. I would say most just accept even an unknown app is legit if a checksum is proffered. Plus, the checksum could help if their gov't decides to play the same game with this now-locally hosted version of Xcode with either injected code into apps or simply spying on the developers themselves. Note: This goes for all nations and all developers, not just in China.

    lkrupp wrote: »
    I remain stupefied that nearly everyone is blaming Apple totally and giving the lazy developers who downloaded a pirated copy of Xcode a pass. What were they thinking? I thought developers were tech savvy and security conscious.

    This is the first time I've seen Apple get any blame here. Every article I read was wonder why anyone would use an unofficial site to grab Xcode. Now 'I' know, which 'I' think puts some of the responsibility on Apple (not the same as blame) that their Chinese download of this 3.6(?) GiB apps took so long to download due to having no local host servers available.
  • Reply 17 of 35
    My partner is Chinese, Chinese born and brought up, from the mainland. "China will clearly see that theft and deception are culturally ingrained and expected" - that's bull. "Hard work and education" is more like it. Have you even been there, away from the tourist spots? Talked with locals? What a stupid thing to say, it's a country that's got billions of people and culture so wide and varied. It's as stupid as saying "ignorance and stupidity is expected of American's".

    Anyway, having been in the South of China mainland many times, I can say that the internet works well there for Chinese hosted sites, but step outside that to American or European sites and it is tediously slow, I suspect the great firewall of China deliberately makes it that way. Facebook wasn't blocked where I went last but it was so slow it took almost an hour to see the first part of my wall. So, trying to download XCODE from the official Apple site once you're officially paid up as a developer might present them with a download that's going to take many days. So I can see how someone offering a local FAST download would be appealing. Sod all to do with theft or deception.

    I've not been to Taiwan, Hong Kong, or Macau, but I hear their internet isn't so bad. I'm presuming this article is referring to mainland China and it makes sense to me why a pucker developer would download from elsewhere. Good on Apple for recognising the issue and hosting locally instead!
  • Reply 18 of 35
    Quote:
    Originally Posted by singularity View Post





    Frequent visits to companies, universities and far too many government lackeys. Dealing with SIPO since 2007.

    There is one thing the Chinese do know how to do and that is beauracracy!



    You're obviously white, or not Asian. Well known that the Chinese, both in Mainland China and overseas, treat non-Asian and Asians very differently. The worst case is an ABC dealing with mainland China, you're seen as a traitor, maybe not to your face but definitely behind your back.

     

    Not only in business, this is the official position of the government as well. If you find yourself in trouble, you may be denied consulate access, because they say you're of Chinese descent. Well known issue especially pre-1997.

  • Reply 19 of 35
    mike1mike1 Posts: 3,275member
    Quote:

    Originally Posted by singularity View Post





    and casual racism is ingrained in others

    Clearly haven't spent much time there trying to source products or shopping in a major city. Handbags are a good example as they generally fall into 3 categories.

     

    Clearly Counterfeit- Obvious who they were trying to copy/rip-off, but you know it's not real. Cheap materials and quality. Will eventually be sold on the sidewalk of a western city.

    Good Counterfeits - Only an expert could tell they were fakes at first glance. Someone will try to pass these off as the real thing.

    The Real Thing. - Stolen from the factory, sometimes rejected by a quality team they make their way out the door rather than to the dumpster. Sometimes just stolen.

    You go into a store and you can find all three examples of the same item.

     

    Same with electronics. Much as you not want to say it, it is a fact of life and part of the culture.

  • Reply 20 of 35
    konqerror wrote: »

    You're obviously white, or not Asian. Well known that the Chinese, both in Mainland China and overseas, treat non-Asian and Asians very differently. The worst case is an ABC dealing with mainland China, you're seen as a traitor, maybe not to your face but definitely behind your back.

    Not only in business, this is the official position of the government as well. If you find yourself in trouble, you may be denied consulate access, because they say you're of Chinese descent. Well known issue especially pre-1997.
    you're obviously making assumptions about my ethnicity.
Sign In or Register to comment.