Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

XcodeGhost attack tapped into dev distaste for Apple's Gatekeeper

Slow, unwieldy downloads, $99 dev ID fee also contribute to App Store appocalypse

In light of XcodeGhost, the number of malware-laden iOS apps is focusing attention on how developers were tricked into using dodgy code in the first place.

The Xcode development tools used by iOS app makers were copied, modified and distributed online before (mainly) Chinese developers used the counterfeit code to compile apps. Palo Alto Networks was the first to warn late last week that the malware had infected more than 39 iOS apps – including messaging app WeChat – affecting hundreds of millions of users.

Since then, Palo Alto and other security researchers have uncovered hundreds of other compromised apps in what is the first large-scale attack on Apple's walled garden mobile software site.

‪Chinese iOS devs downloaded Xcode from a third party, leading to spyware functionality being added when apps were compiled. ‬More specifically, the so-called XcodeGhost attack resulted in the planting of phishing functionality in apps compiled using the dodgy tool. Apps compiled using compromised versions of Xcode push pop-up dialog boxes towards users, requesting iCloud login credentials.

The estimated casualty count of dodgy apps increased from 39 to 4,000 in a matter of days. Apple is in the process of removing apps created with this counterfeit software from its App Store.

XcodeGhost takes advantage of a fairly common developer practice of seeking out ad-hoc, regional distributions for software development platforms when the primary source is too hard or slow to use

Tod Beardsley, security engineering manager at Rapid7, said that developers skipping certificate warnings was another big factor in the creation of the XcodeGhost malware problem.

"The success of XcodeGhost illustrates that skipping certificate checks and acquiring untrusted software is a fairly normal practice, even for established software companies with millions of users," Beardsley explained.

While Apple's Gatekeeper provides for basic code-signing validation, it is essentially a blacklisting technology that many developers have legitimate reasons for disabling.

"Usually, disabling or bypassing Gatekeeper checks is done to install software from an 'untrusted' developer," said Beardsley. "In this case, an 'untrusted' developer has not paid the $99 Developer ID fee to Apple and thus, cannot sign their code with a valid certificate."

Searching for "Disable Gatekeeper" in the US turns up about 288,000 results on Google, and there are doubtless many thousands of results in regions where a $99 price tag for a "legitimate" developer credential is a significant cost for student and hobbyist programmers," Beardsley added.

A‪ version of Xcode containing malicious ‬functionality‪ was uploaded to Baidu’s (Chinese version of Google) cloud sharing ‬platform before‪ multiple developers downloaded it.‬ ‪Xcode is a massive download and this may have played a part in an operation which, in retrospect, looks somewhat risky.‬

Rapid7, the firm behind the Metaspolit penetration testing tool, said that although Chinese developers' behaviour might seem to be asking for trouble in the wake of XcodeGhost, it's been going on for years without any particular problems. The firm compared skipping cert checks to jaywalking.

The important thing to stress is that these behaviours don't usually lead to major compromises of developer security. Most of the time, this risky behaviour doesn't end up causing any harm at all. Skipping certificate checks is a lot like jaywalking; most of the time, everything turns out fine. It's not that developers are dumb and don't know the risks; they simply consider the risk extremely unlikely, and if it's slightly more convenient to ignore one or two security best practices, they will proceed accordingly.

Code for XcodeGhost has been published on Github. The author has apologised for the "experiment". Beardsley reckons the XcodeGhost author was "not particularly malicious", based on a review of the Github code.

"Given that little damage was done, this event was effectively a drill that provided a valuable object lesson in risky decision-making," Beardsley concluded. "Ultimately, XcodeGhost may help influence more secure behaviour and provides an incentive for Apple to make sure that regional distributions of core programming tools are at least as easy to use as their ad-hoc counterparts.” ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like