Less than a week after Apple confirmed that about 40 apps in the iOS App Store are affected with malicious code, or malware, the Cupertino-giant is urging developers to validate their copy of Xcode, its suite of developer tools that is used to develop apps for iOS and OS X.
The company has sent a reminder to developers via email and a message posted on its website noting that they should only use Xcode downloaded from the Mac App Store or the company’s official developer website.
The email comes days after several Chinese app developers including some associated with big brands such as WeChat, Didi Kuaidi, and CamCard, among others, were caught intentionally bypassing warnings from Apple’s “Gatekeeper” software while installing a counterfeit version of Xcode. These developers, it is worth pointing out, didn’t deliberately do this to make their products less secure, but instead, they did it because China’s Great Firewall makes it slower to access and download files hosted on US servers. This is the reason many used Baidu, a file-sharing website – where a version of Xcode was hosted – to download a copy of the app developing program. As it turned out, the version of Xcode hosted on Baidu was compromised.
“We recently removed apps from the App Store that were built with a counterfeit version of Xcode which had the potential to cause harm to customers. You should always download Xcode directly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all your systems to protect against tampered software,” the company notedon its developer website.
(Also see: Apple Hack Exposes Flaws in Building Apps Behind ‘Great Firewall’)
Gatekeeper ships with OS X and with its default settings, it is designed to allow only those apps to run whose authenticity can be verified. Users have the option to disable Gatekeeper to let it run apps from any source, which is what developers would’ve needed to do to run the compromised version of Xcode. If the copy of Xcode they had downloaded from any other source was genuine, they wouldn’t have needed to disable Gatekeeper at all.
“When you download Xcode from the Mac App Store, OS X automatically checks the code signature for Xcode and validates that it is code signed by Apple. When you download Xcode from the Apple Developer website, the code signature is also automatically checked and validated by default as long as you have not disabled Gatekeeper. Whether you downloaded Xcode from Apple or received Xcode from another source, such as a USB or Thunderbolt disk, or over a local network, you can easily verify the integrity of your copy of Xcode.”
Of course, many third-party utilities on OS X continue to be unsigned, so it’s possible that developers had disabled Gatekeeper to run those apps, and thus compromised copy of Xcode slipped under the radar.
For users who’re affected, it is suggested that they change the password of their Apple ID. One should also not engage with a push dialog box asking for personal information. As noted by security firm before, it has been found that “XcodeGhost” may have been able to push dialog boxes to users’ devices asking for personal information. Apple’s VP of Marketing Phil Schiller, meanwhile, has assured that Apple doesn’t know of any cases where these malicious apps transmitted user information, which is always comforting to know. The company has set up a page on its website to let users know about this hack, and offer answers to many of the questions they might have. Apple also plans to alert users who have downloaded the affected apps.