Apple Outlines Steps for Developers to Validate Xcode Following Malware Attack

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Sep 22, 2015.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Following last week's disclosure of new iOS malware called XcodeGhost, which arose from malicious versions of Xcode hosted on third-party servers, Apple has outlined instructions for developers to ensure the version of Xcode they are using is valid.

    [​IMG]

    When downloading Xcode from the Mac App Store, or Apple's website so long as Gatekeeper is enabled, OS X automatically checks the app's code signature and validates it against Apple's code. If you must obtain Xcode elsewhere, follow these steps:
    Apple issued a statement in response to XcodeGhost over the weekend, noting that it has removed all infected apps it is aware of from the App Store and is working with developers to ensure they are using a legitimate version of Xcode.
    XcodeGhost affected dozens, and possibly hundreds, of App Store apps. iPhone, iPad and iPod touch users should read what you need to know about XcodeGhost to learn more about the malware and how to keep yourself protected.

    Article Link: Apple Outlines Steps for Developers to Validate Xcode Following Malware Attack
     
  2. Tankmaze macrumors 68000

    Tankmaze

    Joined:
    Mar 7, 2012
  3. Kissaragi macrumors 68020

    Joined:
    Nov 16, 2006
    #3
    Good that apple are helping devs but how do we know as users that we are downloading safe apps in future?
     
  4. Lennholm macrumors 6502a

    Joined:
    Sep 4, 2010
    #4
    I get /Applications/Xcode.app: a sealed resource is missing or invalid
    What does that mean?
     
  5. neongrau macrumors newbie

    Joined:
    Feb 28, 2014
    #5
    Getting the same message and i'm pretty sure i haven't downloaded mine anywhere else than from app store.
     
  6. TMRJIJ macrumors 68040

    TMRJIJ

    Joined:
    Dec 12, 2011
    Location:
    South Carolina, United States
  7. Icy1007 macrumors 65816

    Icy1007

    Joined:
    Feb 26, 2011
    Location:
    Cleveland, OH
    #7
    Considering I am not an idiot and I downloaded Xcode from Apple's dev portal, I think my copy is clean.
     
  8. Jsameds macrumors 68040

    Joined:
    Apr 22, 2008
    #8
    "Following last week's disclosure of new iOS malware called XcodeGhost, which arose from malicious versions of Xcode hosted on third-party servers, Apple has outlined instructions for developers to ensure the version of Xcode they are using is valid."


    Step 1: Download Xcode from Apple.com


    Congratulations, you now have a genuine version of Xcode ;)
     
  9. macduke macrumors G4

    macduke

    Joined:
    Jun 27, 2007
    Location:
    Central U.S.
    #9
    Apple should block any developers who used counterfeit versions from being able to submit to the App Store. This level of stupidity shouldn't be allowed on their platform.
     
  10. nagromme macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #10
    Band-Aid achieved. But it shouldn't be possible to do this in the first place--it's a security hole and one that could have been expected. Maybe have iTunes Connect only accept submissions from an unmodified Xcode? I'm not sure this is at all simple to implement, but I'm sure it's important to do so

    Developers are to blame too--especially multi-person companies should know better. But the platform should still be protected from developers making mistakes--or being attacked in other as-yet-unknown ways that might make it possible to secretly modify their Xcode. After all, it's possible to choose to bypass the Mac's security features (like Gatekeeper), and some people have reasons to do so. Further checks from Apple's remote end are called for, I think.
     
  11. jasnw macrumors 6502a

    jasnw

    Joined:
    Nov 15, 2013
    Location:
    Seattle Area (NOT! Microsoft)
    #11
    On a tangent, but a strongly related one, what's to keep whomever put the malicious Xcode out on Baidu in the first place from having a house stable of devs building malicious apps using their own Xcode? From what I've read, Apple was unable to catch these apps from being borked in the first place. I've long had a healthy skepticism about accessing any critical (financial, medical, etc) websites from a mobile device, now I'm positively paranoid about it.
     
  12. Mascots macrumors 68000

    Mascots

    Joined:
    Sep 5, 2009
    #12
    Funny because I was reading some things by Ken Thompson the other day.
     
  13. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #13
    And still no list of infected apps from Apple? Not good.
     
  14. AdeFowler macrumors 68020

    AdeFowler

    Joined:
    Aug 27, 2004
    Location:
    England
    #14
    So Apple have removed all of the infected Apps from the app store.

    My problem however, is that the version of Mercury browser that I have, was replaced by the version with IAPs. I really need to know if the version I'm using is infected. Needless to say I've contacted the developers but haven't heard from them yet.
     
  15. SmoMo macrumors regular

    SmoMo

    Joined:
    Aug 20, 2011
    #15
    This will only work if you can trust that there is no-one between you and apple.com.
    I think there maybe a certain degree of naivety in the explanation for why so many Chinese developers have ended up with a modified version of Xcode.
     
  16. ck2875 macrumors 6502a

    ck2875

    Joined:
    Mar 25, 2009
    Location:
    Brighton
    #16
    I'm kind of surprised they openly acknowledged they let malware onto the App Store.

    [​IMG]
     
  17. SmoMo macrumors regular

    SmoMo

    Joined:
    Aug 20, 2011
    #17
    I think that this is much less of a problem because each Developer needs to create an Apple account, and this process involves some degree of identity checking from Apple

    Secondly, if a single Developer submits multiple Apps, and a single one is found to be malicious then it is easy for Apple to instantly remove all Apps by this Developer.

    Thirdly, I think we are seeing a list of roughly 50 Apps so far. What we don't know yet is how many Apps were submitted but didn't get through the Apple submission process.
    If this is 50 out of 50,000 Apps then it is clear that the creators of the malicious code would not be able to develop and publish 50,000 Apps all by themselves.
     
  18. Macneck macrumors regular

    Macneck

    Joined:
    Oct 17, 2012
    #18
    Great idea, except for the fact that it's useless.
     
  19. kainjow Moderator emeritus

    kainjow

    Joined:
    Jun 15, 2000
    #19
    This is a tricky situation. A manual fix is not a good solution, not all devs will do this or care about it. They need something besides Xcode that validates itself, and can't rely on a web service doing this since data sent can be faked. I think a real solution is to add an OS-level check that ensures Xcode.app originated from Apple, and disallow any other app with that name from running otherwise.
     
  20. ArtOfWarfare macrumors G3

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #20
    Man in the middle attack?
     
  21. Periastron macrumors newbie

    Joined:
    May 29, 2010
    Location:
    The Canadas
    #21
    It could mean a lot of things. There could be something missing from the application bundle, something that isn't supposed to be there, or something that has been altered in an unexpected way.

    I got that message, but I had copied the MacOSX10.10.sdk from Xcode 6.4 into the SDKs directory inside Xcode 7. When I moved that SDK out of the Xcode 7 bundle, spctl reported the 'accepted' message.
     
  22. macduke macrumors G4

    macduke

    Joined:
    Jun 27, 2007
    Location:
    Central U.S.
    #22
    Hey everyone! I think I found one of the developers…haha.
     
  23. JackANSI macrumors 6502a

    JackANSI

    Joined:
    Feb 3, 2011
    #23
    As hard as I am on Apple and their army of eyes-closed, head-nodding consumers, I find it interesting that the platform is secure enough that one of the attack vectors is to distribute a hacked copy of Xcode to sneak your malware in through the "front door".

    That said there has to be some way of boiling down the Xcode app fingerprint down into secure signature that is submitted with the app to make this harder in the future.
     
  24. Thunderhawks Suspended

    Joined:
    Feb 17, 2009
    #24
    You will never be able to outsmart dumb people.
    There will always be ways people will figure out to get around something that annoys them.

    So, in that case developers were annoyed by the long download times and figured out to go to another site.

    About the only thing bothersome here is how this passed Apples screening of apps. My guess is that if an app was okay the first time from a certain developer, s/he got a pass "as an update" and was not put through all the testing they normally do.

    I'd also show a yellow card to developers who bypass Apples XCODE system and flash RED if they do it again and they would be out.
     
  25. Macneck macrumors regular

    Macneck

    Joined:
    Oct 17, 2012
    #25
    How many millions iOS apps in the App Store? My problem are not the apps they already identified and supposedly removed... Something they did after some third party exposed the problem. Now I wonder if similar types of infections may have happened in hundreds of the millions of apps in the store. Is only good faith the solution Apple offers to this?
     

Share This Page

67 September 22, 2015