In light of XcodeGhost, the number of malware-laden iOS apps is focusing attention on how developers were tricked into using dodgy code in the first place.
The Xcode development tools used by iOS app makers were copied, modified and distributed online before (mainly) Chinese developers used the counterfeit code to compile apps. Palo Alto Networks was the first to warn late last week that the malware had infected more than 39 iOS apps – including messaging app WeChat – affecting hundreds of millions of users.
Since then, Palo Alto and other security researchers have uncovered hundreds of other compromised apps in what is the first large-scale attack on Apple's walled garden mobile software site.
Chinese iOS devs downloaded Xcode from a third party, leading to spyware functionality being added when apps were compiled. More specifically, the so-called XcodeGhost attack resulted in the planting of phishing functionality in apps compiled using the dodgy tool. Apps compiled using compromised versions of Xcode push pop-up dialog boxes towards users, requesting iCloud login credentials.
XcodeGhost takes advantage of a fairly common developer practice of seeking out ad-hoc, regional distributions for software development platforms when the primary source is too hard or slow to use
Tod Beardsley, security engineering manager at Rapid7, said that developers skipping certificate warnings was another big factor in the creation of the XcodeGhost malware problem.
"The success of XcodeGhost illustrates that skipping certificate checks and acquiring untrusted software is a fairly normal practice, even for established software companies with millions of users," Beardsley explained.
While Apple's Gatekeeper provides for basic code-signing validation, it is essentially a blacklisting technology that many developers have legitimate reasons for disabling.
"Usually, disabling or bypassing Gatekeeper checks is done to install software from an 'untrusted' developer," said Beardsley. "In this case, an 'untrusted' developer has not paid the $99 Developer ID fee to Apple and thus, cannot sign their code with a valid certificate."
Searching for "Disable Gatekeeper" in the US turns up about 288,000 results on Google, and there are doubtless many thousands of results in regions where a $99 price tag for a "legitimate" developer credential is a significant cost for student and hobbyist programmers," Beardsley added.
A version of Xcode containing malicious functionality was uploaded to Baidu’s (Chinese version of Google) cloud sharing platform before multiple developers downloaded it. Xcode is a massive download and this may have played a part in an operation which, in retrospect, looks somewhat risky.
Rapid7, the firm behind the Metaspolit penetration testing tool, said that although Chinese developers' behaviour might seem to be asking for trouble in the wake of XcodeGhost, it's been going on for years without any particular problems. The firm compared skipping cert checks to jaywalking.
The important thing to stress is that these behaviours don't usually lead to major compromises of developer security. Most of the time, this risky behaviour doesn't end up causing any harm at all. Skipping certificate checks is a lot like jaywalking; most of the time, everything turns out fine. It's not that developers are dumb and don't know the risks; they simply consider the risk extremely unlikely, and if it's slightly more convenient to ignore one or two security best practices, they will proceed accordingly.
Code for XcodeGhost has been published on Github. The author has apologised for the "experiment". Beardsley reckons the XcodeGhost author was "not particularly malicious", based on a review of the Github code.
"Given that little damage was done, this event was effectively a drill that provided a valuable object lesson in risky decision-making," Beardsley concluded. "Ultimately, XcodeGhost may help influence more secure behaviour and provides an incentive for Apple to make sure that regional distributions of core programming tools are at least as easy to use as their ad-hoc counterparts.” ®