How XcodeGhost changes things

It looked as if the careful iOS and OS X user had security sussed: don’t jailbreak your iOS devices, stick to the App Stores, and don’t go cruising iffy websites.

But as has happened so often in the past, something comes along which changes all that. In this case, it’s XcodeGhost. Although primarily a concern for those who have obtained apps from the China region iTunes App Store, its effects will be felt worldwide, and on all platforms and operating systems. As the security experts say, ‘the threat landscape has changed again’.

Events

What happened is now fairly clear. Back in March 2015, a presentation at a security conference proposed using a specially-modified version of the Xcode software development kit (SDK) which Apple encourages all iOS, OS X, and watchOS developers to use. The purpose of the modifications was so that apps created using that doctored SDK would themselves be doctored, and would snoop on users, allowing their surveillance. Yes, this was proposed by those who are supposed to be ‘good guys’, not malevolent hackers.

Sometime in March 2015, someone – no one knows who, just yet – did exactly that. They modified a copy of Xcode so that the iOS (not OS X) apps generated by it would phish for information from users, and silently tuck that away on a cloud server (hosted, incidentally, by Amazon’s cloud service). This modified version of Xcode was then released onto servers used almost exclusively by app developers in China.

Developers in China often experience very slow downloads from official Apple App Stores, and are prone to obtain illegal copies of OS X software such as Xcode from servers such as these, which can greatly reduce the time required to download. So from March onwards, many developers in China were using this modified version of Xcode to generate apps containing hidden malware code. Developers affected included some of the large software houses, working on mainstream and widely-used iOS apps.

So from about March or April onwards, many of the iOS apps being created in China and uploaded for Apple’s approval, contained malicious code inserted by this modified version of Xcode: they were ‘infected’ by XcodeGhost.

Although Apple’s approval process does check for malware, it appears that these apps passed those checks, and were made available for purchase and download in the China region iTunes App Store. No one knows for certain yet whether any apps have made it to other iTunes App Stores, although if they have, the number of affected apps outside China is probably quite low.

No one knows whether the malware components in these ‘infected’ apps did collect and upload any phished or other data, or whether such harvested data were recovered by whoever is responsible for this. No doubt there will be all sorts of accusations about CIA and western intelligence, Chinese government, and ordinary criminal involvement, at the end of which we may remain none the wiser.

As had already been identified and tested by March this year, there has been a vulnerability which has enabled developers to (here, unwittingly) create and submit ‘infected’ apps which have then cleared Apple’s checking process, to be released on the unsuspecting public.

Consequences

Although it took an unconscionably long time to detect this huge tranche of ‘infected’ apps, from around March or April until mid September, Apple, Amazon (as the cloud service provider), Baidu (who inadvertently hosted the doctored versions of Xcode), and all the security researchers involved have co-operated fully and very quickly to do what they can now to block and remove the malware.

I think that we can rest assured that Apple is throwing its very substantial resources, and some hard-worked security experts, at tightening up measures in both the Xcode SDK and its App Store screening processes to ensure that this is very unlikely to happen again.

However this is a relatively novel risk, and one which will be tried again in the future, not just against Apple, but against all the other app stores, for OS X, Android, and Windows, most notably.

One important question which Apple has to address is whether a code signature is sufficient to protect the integrity of its SDK: the answer, as XcodeGhost has demonstrated, is that it is not.

As ‘the one ring to rule them all’, Xcode is in a unique position, and uniquely exposed to attack. At the same time, an SDK has to be sufficiently flexible as to accommodate the needs of all developers, making it a difficult system to close down fully. Even assuming a perfect compromise was possible, introduction of a new, more secure Xcode could not be accomplished at a stroke.

The previous idyllic model of a safe app compiled using a known, secure SDK, released to pass code signature checks, and run in a sandbox, has been broken for good. We can now only wait to see how the new security measures will impact on our apps, and on us.