Skip to content
Thoughtful, detailed coverage of everything Apple for 28 years
and the TidBITS Content Network for Apple professionals
4 comments

Apple Alerts Developers about Xcode Downloads

The XcodeGhost hack, which enabled malware to worm its way into iOS apps by way of modified versions of Xcode that Chinese developers downloaded from unofficial sources, has been one of the more successful breaches of Apple’s security systems (see “XcodeGhost Exploits the Security Economics of Apple’s Ecosystem,” 21 September 2015). Although Apple has neither addressed either the root cause of the problem (China’s bandwidth restrictions to foreign servers) nor enabled digital certificate pinning and better app signing within Xcode, the company has now alerted all Apple developers to the problem via email.


The message exhorts developers to download Xcode directly from the Mac App Store, or from the Apple Developer Web site, since both of those channels allow OS X to check and validate the code signature for Xcode. In an acknowledgement that not all copies of Xcode will come from one of those two sources, though, Apple’s expanded developer news posting provides instructions on how developers can verify the identity of a copy of Xcode acquired via USB thumb drive, external hard drive, or LAN fileserver.

Apple has also now posted an XcodeGhost Q&A page on the Chinese version of the company’s Web site explaining the situation. It’s in Chinese, of course, but there’s an English version at the bottom. Apple’s Q&A lists the 25 most popular apps that were affected, which is interesting in its own right, even if for the names alone — my favorites are Carrot Fantasy (will there be a spinoff called Daikon Dreams?), Miraculous Warmth (which I have to assume drains your battery awfully quickly), and Flush (which is, amusingly, a stock-tracking app).

Again, there’s nothing we normal users need to do — or can do — about this situation, since Apple’s security lapses in allowing modified versions of Xcode to function and letting malware-infested apps into the App Store are simply outside our control.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 28 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Apple Alerts Developers about Xcode Downloads