The XcodeGhost hack, which enabled malware to worm its way into iOS apps by way of modified versions of Xcode that Chinese developers downloaded from unofficial sources, has been one of the more successful breaches of Apple’s security systems (see “XcodeGhost Exploits the Security Economics of Apple’s Ecosystem,” 21 September 2015). Although Apple has neither addressed either the root cause of the problem (China’s bandwidth restrictions to foreign servers) nor enabled digital certificate pinning and better app signing within Xcode, the company has now alerted all Apple developers to the problem via email.
The message exhorts developers to download Xcode directly from the Mac App Store, or from the Apple Developer Web site, since both of those channels allow OS X to check and validate the code signature for Xcode. In an acknowledgement that not all copies of Xcode will come from one of those two sources, though, Apple’s expanded developer news posting provides instructions on how developers can verify the identity of a copy of Xcode acquired via USB thumb drive, external hard drive, or LAN fileserver.
Apple has also now posted an XcodeGhost Q&A page on the Chinese version of the company’s Web site explaining the situation. It’s in Chinese, of course, but there’s an English version at the bottom. Apple’s Q&A lists the 25 most popular apps that were affected, which is interesting in its own right, even if for the names alone — my favorites are Carrot Fantasy (will there be a spinoff called Daikon Dreams?), Miraculous Warmth (which I have to assume drains your battery awfully quickly), and Flush (which is, amusingly, a stock-tracking app).
Again, there’s nothing we normal users need to do — or can do — about this situation, since Apple’s security lapses in allowing modified versions of Xcode to function and letting malware-infested apps into the App Store are simply outside our control.