Apple Outlines Steps for Developers to Validate Xcode Following Malware Attack

[JackANSI]

I just received an email stating that I shall download XCode directly from apple. There are two possibilities:

1. This is a phishing email. Which I expected as soon as I heard from XCodeGhost.

2. Apple as sent out an actual mail to developers, asking them to click on a link in an email stating that it provides a safe download.

Response to 1: Delete
Response to 2: Shame on you! Apple, never, ever do that!!!

Unfortunately, It is unclear to me, whether it is 1 or 2. The Links all seem to really point at apple. But I will surely not click on them.

Never follow a link in email if it will involve entering login credentials or downloads. Take it as a "notification" and just "go the long route" and get there directly from the website in question (being Apple in this case).

That's email 101 stuff...

 

[JackANSI]

I thought Apple had a "kill switch" they could use to disable apps? and why don't they use it in this case?

 

[varunsanthanam]

Getting the same message and i'm pretty sure i haven't downloaded mine anywhere else than from app store.

Same message. Downloaded from the App Store as well.

 

[V.K.]

Impossible unless you stop allowing developers to compile code using the command line and merge the command-line tools into the main Xcode binary itself. Otherwise, a fake Xcode can be as simple as interposing another binary that injects code into the source code on its way to the compiler and adds an extra static library to any final link line.

Yes, ostensibly Apple could make Xcode itself do some sort of checks to ensure that the binaries are unmodified, but someone could just binary-patch in a new signature, and it isn't hard to search a binary for a specific sequence of bytes. It is rather hard to hide such checks in a way that can't be thwarted. Provably impossible, in fact, though you can take steps to make it harder. Basically, it's the DRM problem all over again.

If the Xcode binary isn't signed by Apple anyway, and if developers didn't notice that, then there's very little Apple can usefully do to make it more obvious that the software is counterfeit beyond what they have already done.

what about making people submit uncompiled projects? Apple can surely compile everything themselves. I think I saw posts by devs saying that this is not feasible but I don't know why.

 

[Manderby]

Never follow a link in email if it will involve entering login credentials or downloads. ... That's email 101 stuff...

Yes. That's precisely what I mean. How many of those receyving these emails have clicked on the links supposedly linking to Apples website without checking them? Apples Email is an amateurish response and should not have been sent to all developers. Not in this situation.

I thought Apple had a "kill switch" they could use to disable apps? and why don't they use it in this case?

No. Something like that is impractical. They can - and have - however removed the apps in question from the App Store.

 

[macs4nw]

Apple should block any developers who used counterfeit versions from being able to submit to the App Store. This level of stupidity shouldn't be allowed on their platform.

Or at the very least put them on notice that any further uncovered incidents of using non-authentic or bootlegged copies of Xcode for creating Apps will lead to them being permanently barred. Which is giving them the benefit of the doubt as most devs most likely weren't aware of the XcodeGhost modification.

Too much potential for widespread damage.

 

[clinteazthood]

Following last week's disclosure of new iOS malware called XcodeGhost, which arose from malicious versions of Xcode hosted on third-party servers, Apple has outlined instructions for developers to ensure the version of Xcode they are using is valid.

When downloading Xcode from the Mac App Store, or Apple's website so long as Gatekeeper is enabled, OS X automatically checks the app's code signature and validates it against Apple's code. If you must obtain Xcode elsewhere, follow these steps:Apple issued a statement in response to XcodeGhost over the weekend, noting that it has removed all infected apps it is aware of from the App Store and is working with developers to ensure they are using a legitimate version of Xcode.XcodeGhost affected dozens, and possibly hundreds, of App Store apps. iPhone, iPad and iPod touch users should read what you need to know about XcodeGhost to learn more about the malware and how to keep yourself protected.

Article Link: Apple Outlines Steps for Developers to Validate Xcode Following Malware Attack

Xcode returns this, "/Applications/Xcode.app: accepted source=allowed cdhash" That ok?

 

[Keane16]

On a tangent, but a strongly related one, what's to keep whomever put the malicious Xcode out on Baidu in the first place from having a house stable of devs building malicious apps using their own Xcode? From what I've read, Apple was unable to catch these apps from being borked in the first place. I've long had a healthy skepticism about accessing any critical (financial, medical, etc) websites from a mobile device, now I'm positively paranoid about it.

When I was using Windows XP as my home OS on my self built PC, I used to download many programs from random developer sites. Some of these programs were very popular. But I had no real knowledge of who built them, what security checks they underwent etc. thankfully I've never encountered anything negative in terms of doing banking online, shopping etc. It was a Wild West scenario, anything was allowed. And not much has changed on the desktop now - I can install pretty much what I want from anywhere I want.

Alternatively, I have one vetted source for apps on my iOS devices. Is it bullet proof - nope. As has been shown many times. But is it a much stronger position than I was in 7 or 8 years ago on the desktop - yep.

Just wondering why you mentioned mobile devices? What makes them so special? What makes you feel safe on desktop devices?

I'm the opposite, I feel safer on my locked down vetted mobile device rather than the open desktop platform. But I try to take sensible precautions and bank, shop etc on both platforms, and while security is no joke I'm certainly not paranoid.

 

[mijail]

On a tangent, but a strongly related one, what's to keep whomever put the malicious Xcode out on Baidu in the first place from having a house stable of devs building malicious apps using their own Xcode? From what I've read, Apple was unable to catch these apps from being borked in the first place. I've long had a healthy skepticism about accessing any critical (financial, medical, etc) websites from a mobile device, now I'm positively paranoid about it.

So you mean that your computer feels safer? Huh.

 

[mijail]

The real email from Apple says 'always download Xcode directly from the Mac App Store' and the link takes you to the App Store

Or maybe takes you to some site which looks just like the App Store.
The thing is, you have to check whether it really IS or just looks like (remember that there were even scams using Unicode chars to create URLs which looked just like the intended ASCII goal). So at the end of the day it is faster/better to just go through "the long route" yourself, as the original poster said.

 

[jasnw]

So you mean that your computer feels safer? Huh.

Not really, it's just a convenient myth that keeps me hanging in there.

 

[jasnw]

Just wondering why you mentioned mobile devices? What makes them so special? What makes you feel safe on desktop devices?

What exactly makes you feel safer on your locked-down mobile device, and how is it more "locked down" than a desktop system on a wired home network maintained by a competent individual?

 

[mijail]

What exactly makes you feel safer on your locked-down mobile device, and how is it more "locked down" than a desktop system on a wired home network maintained by a competent individual?

Out of the top of my head: in iOS, compared to OS X,

• the system is much more locked down, so there are less ways to sneak in (no Flash, no Java, for example)
  
• you can only run apps checked by Apple
• the communication between apps is MUCH more restricted
• if you are careful, you can be even reasonably sure that only the app you want is running at a given moment

Those are simplifications, of course. The point is that for any "but" that you can find to any of those points, it's orders of magnitude more "but-tier" in the full OS X.

 

[mcic1984]

If one assumes that Xcode Ghost infected a developer's version of Xcode, it wouldn't be too far a stretch to imagine that the hackers could have found a way to burrow themselves into the developer, infecting other parts of the app development process or other parts of the developer's infrastructure too.

So, even if Apple works with the developers to fix the app and ensure it's built with a non-counterfeit version of Xcode, I would find it really difficult to trust the app developer ever again as they may simply steal data from another part of the developer's infrastructure instead.

 

[2457244]

Maybe it's about time Apple is getting their * together and start upgrading or outsourcing their hosting stuff.. Maybe when people can download an update in a few minutes instead of 4 hours people wouldn't start downloading stuff outside the Apples source.

It's redicules.. Trying to do a clean install of iOS 9 and it takes 4 hours to download.

 

[JackANSI]

Yes. That's precisely what I mean. How many of those receyving these emails have clicked on the links supposedly linking to Apples website without checking them? Apples Email is an amateurish response and should not have been sent to all developers. Not in this situation.


No. Something like that is impractical. They can - and have - however removed the apps in question from the App Store.

It could be done quite simply with a certificate-like system... Much like they already do for devs...

 

[Keane16]

What exactly makes you feel safer on your locked-down mobile device, and how is it more "locked down" than a desktop system on a wired home network maintained by a competent individual?

Basically what @mijail said.

Because by their very nature our desktop OSes are more open, more complex and therefore offer more attack points than our mobile devices. Apple has started taking steps to change this (if you want the features) by introducing things like Gatekeeper, Mac App Store app sandboxing etc.

Complexity adds potential weakness. Look at the Apple TV 3, not very complex - the community just couldn't find a Jailbreak. I imagine the new Apple TV with an App Store will be easier to Jailbreak just because of the added complexity.

On the desktop I could be installing apps that sneak trackers, viruses... whatever from a multitude of sources. Even something that is free, open source, popular in the community, generally classed as safe - I'm still relying on individuals who I don't know to ensure my safety. How do I know short cuts weren't taken? What security checks were carried out? I personally don't have the skills to check through code myself.

On iOS Apple checks app submissions, and as I said while it's not bullet proof, at least I know they have their reputation on the line so it's in their best interest to keep me safe (And Google, Microsoft on their platforms - although with side loading on Android it introduces some similar issues as have been mentioned for the desktop).

 

[lawrencesheed]

It seems to me that the far easier solution for preventing this is to set up a robust enough delivery system that Chinese developers don't feel compelled to download Xcode from a third party source!! Apple could throw a couple million at that particular problem without blinking and poof! It disappears.

This is the actual issue here. Apple downloads are hideously slow inside China. Its gotten better than a year or two ago, but its still far far far quicker to download oh, 2.9G of X-Code from Baidu Pan or similar storage sites, than it is from Apple.

Fix that, and you've solved 90% of the issue.

...and as for the people in here complaining about Gatekeeper being turned off - most of the good tools are not distributed on Apple's walled garden, so its fairly common to disable it. Perhaps they could do something about that too, hmm?