Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Band-Aid achieved. But it shouldn't be possible to do this in the first place--it's a security hole and one that could have been expected. Maybe have iTunes Connect only accept submissions from an unmodified Xcode?

Impossible unless you stop allowing developers to compile code using the command line and merge the command-line tools into the main Xcode binary itself. Otherwise, a fake Xcode can be as simple as interposing another binary that injects code into the source code on its way to the compiler and adds an extra static library to any final link line.

Yes, ostensibly Apple could make Xcode itself do some sort of checks to ensure that the binaries are unmodified, but someone could just binary-patch in a new signature, and it isn't hard to search a binary for a specific sequence of bytes. It is rather hard to hide such checks in a way that can't be thwarted. Provably impossible, in fact, though you can take steps to make it harder. Basically, it's the DRM problem all over again.

If the Xcode binary isn't signed by Apple anyway, and if developers didn't notice that, then there's very little Apple can usefully do to make it more obvious that the software is counterfeit beyond what they have already done.
 
  • Like
Reactions: V.K. and ececlv
Compared to the list published by Palo Alto Networks at least two of those apps weren't affected, obviously. CamCard is on that list p.e., but it's still available in the store (checked right now). The CamCard dev wrote on his FB site, that the app is definitely not infected. The same goes to WeChat.

So it's hard what to believe and what not. Apple should publish a similar statement (steps) to the iOS users (and not devs only).
 
  • Like
Reactions: S G
It seems to me that the far easier solution for preventing this is to set up a robust enough delivery system that Chinese developers don't feel compelled to download Xcode from a third party source!! Apple could throw a couple million at that particular problem without blinking and poof! It disappears.
 
  • Like
Reactions: lawrencesheed
I just received an email stating that I shall download XCode directly from apple. There are two possibilities:

1. This is a phishing email. Which I expected as soon as I heard from XCodeGhost.

2. Apple as sent out an actual mail to developers, asking them to click on a link in an email stating that it provides a safe download.

Response to 1: Delete
Response to 2: Shame on you! Apple, never, ever do that!!!

Unfortunately, It is unclear to me, whether it is 1 or 2. The Links all seem to really point at apple. But I will surely not click on them.
 
Last edited:
I just received an email stating that I shall download XCode directly from apple. There are two possibilities:

1. This is a phishing email. Which I expected as soon as I heard from XCodeGhost.

2. Apple as sent out an actual mail to developers, asking them to click on a link in an email stating that it provides a safe download.

Response to 1: Delete
Response to 2: Shame on you! Apple, never, ever do that!!!

Unfortunately, It is unclear to me, whether it is 1 or 2.
The real email from Apple says 'always download Xcode directly from the Mac App Store' and the link takes you to the App Store
 
I just received an email stating that I shall download XCode directly from apple. There are two possibilities:

1. This is a phishing email. Which I expected as soon as I heard from XCodeGhost.

2. Apple as sent out an actual mail to developers, asking them to click on a link in an email stating that it provides a safe download.

Response to 1: Delete
Response to 2: Shame on you! Apple, never, ever do that!!!

Unfortunately, It is unclear to me, whether it is 1 or 2. The Links all seem to really point at apple. But I will surely not click on them.

I received the same email. While the link does indeed go to developer.apple.com I too share your concerns about clicking email links. Too bad they couldn't sign these emails with the public key from the key pair generated by me when joining Apple's Dev program.
 
The real email from Apple says 'always download Xcode directly from the Mac App Store' and the link takes you to the App Store
And what if it didn't but instead directs me to a website which looks like the developer portal? I sometimes download the latest betas from there.

Never do that, no matter if the links are correct. Never.
 
The lists were from a third party not Apple. If you have seen a list from Apple, can you please link to it?

The list was provided to the 3rd party, from Apple. How else would they know which apps were effected? You can't simply guess.

If you download an infected app, simply run the app updates and install them. This will clear up the issue.
 
Disappointing that they don’t warn their customers with a proper press release. iCloud credentials might have been stolen and other passwords compromised. People are still vulnerable for as long as these versions remain on the devices and many people don’t know. Just make sure that you download Xcode from apple.com next time, no big deal! Apple is just unreliable with these things.
 
I get /Applications/Xcode.app: a sealed resource is missing or invalid
What does that mean?

Getting the same message and i'm pretty sure i haven't downloaded mine anywhere else than from app store.

I get the specified message. Is it possible that your version is an earlier release? You might want to upgrade or just remove it, and, download again. it is big and slow to download, of course, which is what facilitated this in the first place.


I ran the command on the entire /Applications directory. I was happy to discover that many third-party apps, even those not downloaded from the app store, checked out. I was surprised, however, that the base Yosemite apps could not be checked because they had an "obsolete resource envelope". Seems to me that all Apple apps should conform.
 
Downloading from the Mac App Store is weird and convoluted. If they would just provide a direct download link to Xcode for something that is free anyway, none of this would have happened.
 
  • Like
Reactions: V.K. and pituin
I can't help wondering how many people slating developers for downloading Xcode from sources other than Apple are using iPhone or Macs running betas of iOS or OS X downloaded from sites like IMZDL
 
  • Like
Reactions: pituin
So according to the e-mail apple sent me, these infected developers had to disable gatekeeper, or accept the popup that says it is not signed? Ugh they shot themselves in the foot there.
 
So these developers not only chose to download Xcode from a shady source, but also run with Gatekeeper off. Wonder if the users affected can sue the developers for neglecthant behaviour.
 
  • Like
Reactions: cppguy
I'll boycott every company who downloaded Xcode from a Chinese source instead of directly from Apple. A company with such idiot developers should sink immediately. I'm talking to you, CamScanner.
 
  • Like
Reactions: Weaselboy
This is a tricky situation. A manual fix is not a good solution, not all devs will do this or care about it. They need something besides Xcode that validates itself, and can't rely on a web service doing this since data sent can be faked. I think a real solution is to add an OS-level check that ensures Xcode.app originated from Apple, and disallow any other app with that name from running otherwise.
That could be circumvented just like any other app cracks do. You'd need some kind of USB hardware lock key like the famous iLok.
 
That could be circumvented just like any other app cracks do. You'd need some kind of USB hardware lock key like the famous iLok.
It would protect from this happening again, because then it's only people who are maliciously modifying their own apps, and what's the point if you can just embed your own malware directly anyways.
 
/Applications/App Store.app: rejected
Interesting.

No. Everything is fine. Seems this whole check only works on the latest systems. Mavericks is out.
 
Another thing worth looking for is:

override=security disabled

If you see this, that means you have Gatekeeper set to allow all applications. You should consider turning this back on. :)
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.