Apple Outlines Steps for Developers to Validate Xcode Following Malware Attack

[mkldev]

Band-Aid achieved. But it shouldn't be possible to do this in the first place--it's a security hole and one that could have been expected. Maybe have iTunes Connect only accept submissions from an unmodified Xcode?

Impossible unless you stop allowing developers to compile code using the command line and merge the command-line tools into the main Xcode binary itself. Otherwise, a fake Xcode can be as simple as interposing another binary that injects code into the source code on its way to the compiler and adds an extra static library to any final link line.

Yes, ostensibly Apple could make Xcode itself do some sort of checks to ensure that the binaries are unmodified, but someone could just binary-patch in a new signature, and it isn't hard to search a binary for a specific sequence of bytes. It is rather hard to hide such checks in a way that can't be thwarted. Provably impossible, in fact, though you can take steps to make it harder. Basically, it's the DRM problem all over again.

If the Xcode binary isn't signed by Apple anyway, and if developers didn't notice that, then there's very little Apple can usefully do to make it more obvious that the software is counterfeit beyond what they have already done.

 

[Habakuk]

Compared to the list published by Palo Alto Networks at least two of those apps weren't affected, obviously. CamCard is on that list p.e., but it's still available in the store (checked right now). The CamCard dev wrote on his FB site, that the app is definitely not infected. The same goes to WeChat.

So it's hard what to believe and what not. Apple should publish a similar statement (steps) to the iOS users (and not devs only).

 

[OldSchoolMacGuy]

And still no list of infected apps from Apple? Not good.

Wat? They released it right when this was announced. Check any of the old posts. They include lists.

 

[themachugger]

It seems to me that the far easier solution for preventing this is to set up a robust enough delivery system that Chinese developers don't feel compelled to download Xcode from a third party source!! Apple could throw a couple million at that particular problem without blinking and poof! It disappears.

 

[Manderby]

I just received an email stating that I shall download XCode directly from apple. There are two possibilities:

1. This is a phishing email. Which I expected as soon as I heard from XCodeGhost.

2. Apple as sent out an actual mail to developers, asking them to click on a link in an email stating that it provides a safe download.

Response to 1: Delete
Response to 2: Shame on you! Apple, never, ever do that!!!

Unfortunately, It is unclear to me, whether it is 1 or 2. The Links all seem to really point at apple. But I will surely not click on them.

 

[SmoMo]

I just received an email stating that I shall download XCode directly from apple. There are two possibilities:

1. This is a phishing email. Which I expected as soon as I heard from XCodeGhost.

2. Apple as sent out an actual mail to developers, asking them to click on a link in an email stating that it provides a safe download.

Response to 1: Delete
Response to 2: Shame on you! Apple, never, ever do that!!!

Unfortunately, It is unclear to me, whether it is 1 or 2.

The real email from Apple says 'always download Xcode directly from the Mac App Store' and the link takes you to the App Store

 

[Weaselboy]

Wat? They released it right when this was announced. Check any of the old posts. They include lists.

The lists were from a third party not Apple. If you have seen a list from Apple, can you please link to it?

 

[PBG4 Dude]

I just received an email stating that I shall download XCode directly from apple. There are two possibilities:

1. This is a phishing email. Which I expected as soon as I heard from XCodeGhost.

2. Apple as sent out an actual mail to developers, asking them to click on a link in an email stating that it provides a safe download.

Response to 1: Delete
Response to 2: Shame on you! Apple, never, ever do that!!!

Unfortunately, It is unclear to me, whether it is 1 or 2. The Links all seem to really point at apple. But I will surely not click on them.

I received the same email. While the link does indeed go to developer.apple.com I too share your concerns about clicking email links. Too bad they couldn't sign these emails with the public key from the key pair generated by me when joining Apple's Dev program.

 

[Manderby]

The real email from Apple says 'always download Xcode directly from the Mac App Store' and the link takes you to the App Store

And what if it didn't but instead directs me to a website which looks like the developer portal? I sometimes download the latest betas from there.

Never do that, no matter if the links are correct. Never.

 

[OldSchoolMacGuy]

The lists were from a third party not Apple. If you have seen a list from Apple, can you please link to it?

The list was provided to the 3rd party, from Apple. How else would they know which apps were effected? You can't simply guess.

If you download an infected app, simply run the app updates and install them. This will clear up the issue.

 

[KALLT]

Disappointing that they don’t warn their customers with a proper press release. iCloud credentials might have been stolen and other passwords compromised. People are still vulnerable for as long as these versions remain on the devices and many people don’t know. Just make sure that you download Xcode from apple.com next time, no big deal! Apple is just unreliable with these things.

 

[jnpy!$4g3cwk]

I get /Applications/Xcode.app: a sealed resource is missing or invalid
What does that mean?

Getting the same message and i'm pretty sure i haven't downloaded mine anywhere else than from app store.

I get the specified message. Is it possible that your version is an earlier release? You might want to upgrade or just remove it, and, download again. it is big and slow to download, of course, which is what facilitated this in the first place.


I ran the command on the entire /Applications directory. I was happy to discover that many third-party apps, even those not downloaded from the app store, checked out. I was surprised, however, that the base Yosemite apps could not be checked because they had an "obsolete resource envelope". Seems to me that all Apple apps should conform.

 

[rkuo]

Downloading from the Mac App Store is weird and convoluted. If they would just provide a direct download link to Xcode for something that is free anyway, none of this would have happened.

 

[Weaselboy]

The list was provided to the 3rd party, from Apple. How else would they know which apps were effected? You can't simply guess.

https://www.macrumors.com/2015/09/20/xcodeghost-chinese-malware-faq/

Read the original article again. There were no lists provided by Apple.

Read this. The apps were all identified by third parties examining the apps or watching for apps that communicated with the zombie servers at C2.

 

[ninjadex]

If you download an infected app, simply run the app updates and install them. This will clear up the issue.

Better yet, if you downloaded an infected app, delete it and never install an app from that developer ever again.

 

[NightFox]

I can't help wondering how many people slating developers for downloading Xcode from sources other than Apple are using iPhone or Macs running betas of iOS or OS X downloaded from sites like IMZDL

 

[astronomic]

So according to the e-mail apple sent me, these infected developers had to disable gatekeeper, or accept the popup that says it is not signed? Ugh they shot themselves in the foot there.

 

[garylapointe]

It would be nice if Apple said they were e-mailing those who downloaded the apps, some have similar names to other apps...

UPDATE: Another thread says Apple is going to notify people if they downloaded any of the apps.

Gary

 

[Jeaz]

So these developers not only chose to download Xcode from a shady source, but also run with Gatekeeper off. Wonder if the users affected can sue the developers for neglecthant behaviour.

 

[cppguy]

I'll boycott every company who downloaded Xcode from a Chinese source instead of directly from Apple. A company with such idiot developers should sink immediately. I'm talking to you, CamScanner.

 

[patent10021]

This is a tricky situation. A manual fix is not a good solution, not all devs will do this or care about it. They need something besides Xcode that validates itself, and can't rely on a web service doing this since data sent can be faked. I think a real solution is to add an OS-level check that ensures Xcode.app originated from Apple, and disallow any other app with that name from running otherwise.

That could be circumvented just like any other app cracks do. You'd need some kind of USB hardware lock key like the famous iLok.

 

[Digitalclips]

Considering I am not an idiot and I downloaded Xcode from Apple's dev portal, I think my copy is clean.

It is surely a breach of the developer agreement not to do so, these jack asses should be punished in some way, they have done untold damage to the Apple community by their stupidity.

 

[kainjow]

That could be circumvented just like any other app cracks do. You'd need some kind of USB hardware lock key like the famous iLok.

It would protect from this happening again, because then it's only people who are maliciously modifying their own apps, and what's the point if you can just embed your own malware directly anyways.

 

[Manderby]

/Applications/App Store.app: rejected

Interesting.

No. Everything is fine. Seems this whole check only works on the latest systems. Mavericks is out.

 

[larrylaffer]

Another thing worth looking for is:

override=security disabled

If you see this, that means you have Gatekeeper set to allow all applications. You should consider turning this back on.