XcodeGhost: Resources for Developer and User Security
iOS developers were the target of a recent malware attack, not Apple Store, although malicious code was spread through many apps downloaded via the online app store. Attackers inserted malicious code into a version of Xcode, Apple’s official app development software. The malicious version, dubbed XcodeGhost, was uploaded to China-based Baidu, a cloud service.
A link to download XcodeGhost was shared in Chinese developer forums, which lead developers to download the malicious version in order to create infected apps they submitted to Apple Store. But why would a developer download Xcode from a source other than Apple’s website?
According to an interview SCMagazine.com did with Palo Alto Networks, slow Xcode (size: three GB) download times in China (read: hours) could drive Chinese developers to download from unauthorized sources on Baidu instead of from Apple directly. Another article from TidBits blames it on China’s bandwidth limitations and restrictions to accessing foreign servers. But regardless, that’s still a big security risk for a developer, or any user, to take.
While the current version of XcodeGhost can’t actually be used to directly phish iCloud passwords, by changing just a few lines of code, it can be used to phish any kind of password, according to Palo Alto Networks researchers. The effect of XcodeGhost on infected apps is similar to adware or tracking frameworks, rather than malicious malware, as Appthority reported.
The more technical description of what infected apps can do involves sending request to servers with all kinds of device identifiers, with a response that can trigger different actions, like opening a URL. Check out more details by Appthority.
There were at least 39 confirmed applications containing XcodeGhost, removed by Apple from its store, including WeChat, which has also fixed the security flaw in its newest iOS version. Apple has also sent an email to affected developers, urging them to recompile using the official Xcode software and re-submit apps, according to an update from Palo Alto Networks.
Three command and control (C2) servers that communicated with the apps being hosted on Amazon were also identified and shut down, according to Threatpost, and Baidu has since removed links to download the malicious software.
XcodeGhost has been spreading since March, with download links indexed and promoted in search engines for over six months now, making it likely that far more infected apps are out there (unconfirmed numbers estimating the total as hundreds and even thousands).
How Can Developers Protect Themselves?
Most of the developers that were affected were located in China. To find out if you’re running XcodeGhost, the InfoSec Community Forums from SANS advises that developers check for a certain file in their software:
- Check for Library/Frameworks/CoreServices.framework/CoreService in SDK/Applications/Xcode.app/Contents/Developer/Platforms /iPhoneOS.platform/Developer/SDKs/
- Always download software from the official source
- Check any provided hashes (MD5/SHA1)
Validate Your Version of Xcode
Apple also released instructions on how to validate your version of Xcode:
Run the following command in Terminal on a system with Gatekeeper enabled: spctl --assess --verbose /Applications/Xcode.app where /Applications/ is the directory where Xcode is installed.
The tool should return the following result for a version of Xcode downloaded from the Mac App Store:
/Applications/Xcode.app: accepted source=Mac App Store
For a version downloaded from the Apple Developer website, the result should read either
/Applications/Xcode.app: accepted source=Apple or
/Applications/Xcode.app: accepted source=Apple System
Any result other than ‘accepted’ or any source other than ‘Mac App Store’, ‘Apple System’ or ‘Apple’ indicates that the application signature is not valid for Xcode.
Download a clean copy of Xcode and re-compile your apps before submitting them for review.
Apple also recently announced they would provide an official source for developers in the People’s Republic to download Xcode domestically from local China-based servers in response to XcodeGhost.
How Can Users Protect Themselves?
Affected users include those that downloaded apps in mainland China, Taiwan, Hong Kong or Macau - that is, anyone that downloaded an app from Apple’s App Store serving Greater China, according to 9to5mac.com. Here’s what users can do to protect themselves:
- Check for HTTP traffic to http://init.icloud-analysis.com in your firewalls or proxies logs.
- Check for traffic to the IP addresses listed.
- Remove the apps listed as malicious, which, according to Palo Alto Networks, includes:
滴滴打车 126.96.36.199 – 3.9.7
我叫MT 2 1.10.5
- Change passwords on websites used by the malicious applications.
- As an extra precaution, turn on two-factor authentication for your iCloud account
This is an important opportunity to remember the impact that development tools can have on the security properties of any piece of software. Attacks against various elements of the supply chain are discussed more and more, and this is no exception. Good software development practices and the best intentions can still be thwarted when an attacker inserts themselves into the development path in this way. Always use trusted development tools and services to ensure you are not bringing essentially what amounts to a Trojan horse into your development shop.