Following the recent reveal that the Chinese Apple App Store had become infested with malware, thanks to dozens of infected consumer-facing mobile apps that had been built and updated with a compromised version of Apple’s iOS developer software, Xcode, Apple is now urging mobile app developers to verify their Xcode installations. The company reminded developers via email and a message posted to the company website that they should only run Xcode software that was directly downloaded from the Mac App Store or the Apple Developer site.
The reminder speaks to the issue that causes the problem with the malware-laden apps to begin with: Chinese app developers, including several big-name brands like WeChat, Didi Kuaidi (an Uber competitor), business card scanning app CamCard, and more, deliberately bypassed warnings from Apple’s “Gatekeeper” software when installing the compromised version of Xcode.
However, their reason in doing so was not because they have lax security policies, really, but rather that Xcode – a sizable piece of software – is slow to download when trying to access the software on U.S. servers due to China’s Great Firewall. That often sees developers turning to local cloud storage sites, like Baidu (where this compromised version was hosted), in order to get their hands on copies they can get onto their local machines more quickly.
According to security firm Lookout, Chinese users, or others who may have downloaded applications from the China App Store, should check to see if there are updates available for the affected apps. (A full list of the apps they’ve verified as being infected is here.)
If one of the apps is running on your device, you should change your Apple ID and password immediately, and then be wary if you receive any suspicious emails or push notifications in the future – especially those that may ask for personal information.
The malware was designed to pull personal information from victims’ devices, including the device name, country, and unique identifiers, the firm noted. Palo Alto Networks, which was among the first to publish details on “XcodeGhost,” as the malware is dubbed, also said that the malicious software may have been able to push dialog boxes to users’ phones asking for personal information.
However, Apple’s Phil Schiller told China’s Sina website that Apple currently knows of no cases where the malicious apps were able to transmit user data before the apps were pulled from the App Store.
Apple’s Phil Schiller tells China’s Sina website that Apple knows of no cases where malicious apps transmitted user data.
— CNBC Now (@CNBCnow) September 22, 2015
Apple, in its message to developers, offers instructions on how to verify their version of Xcode:
…You should always download Xcode directly from the Mac App Store, or from the Apple Developer website, and leave Gatekeeper enabled on all your systems to protect against tampered software.
When you download Xcode from the Mac App Store, OS X automatically checks the code signature for Xcode and validates that it is code signed by Apple. When you download Xcode from the Apple Developer website, the code signature is also automatically checked and validated by default as long as you have not disabled Gatekeeper.
Whether you downloaded Xcode from Apple or received Xcode from another source, such as a USB or Thunderbolt disk, or over a local network, you can easily verify the integrity of your copy of Xcode.
To verify the identity of your copy of Xcode run the following command in Terminal on a system with Gatekeeper enabled:
spctl –assess –verbose /Applications/Xcode.app
where /Applications/ is the directory where Xcode is installed. This tool performs the same checks that Gatekeeper uses to validate the code signatures of applications. The tool can take up to several minutes to complete the assessment for Xcode.
The tool should return the following result for a version of Xcode downloaded from the Mac App Store:
source=Mac App Store
and for a version downloaded from the Apple Developer web site, the result should read either
Any result other than ‘accepted’ or any source other than ‘Mac App Store’, ‘Apple System’ or ‘Apple’ indicates that the application signature is not valid for Xcode. You should download a clean copy of Xcode and recompile your apps before submitting them for review.