“The XcodeGhost incident has demonstrated that however secure a system is thought to be, there’s always a way in. It also shows how the very human tendency of trying to simplify and hasten the execution of a task can lead to decreased security.
Apple has expanded on its initial comment about the malware and its proliferation in the App Store, and has explained that they have removed the infected apps from the store and that they are blocking submissions of new apps that contain the malware.
They listed the top 25 most popular apps impacted, among which is the popular messaging app WeChat, and noted that “after the top 25 impacted apps, the number of impacted users drops significantly.”
Users are advised to update those apps as soon as possible (once they are available on the App Store once again). Uninstalling the affected apps until that time is also a good idea, although the company says that the found malware was only capable of harvesting some general information about the apps and the OS.
“We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used,” they noted. “Were not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords.”
This last piece of information was confirmed by FireEye researchers, who also noted that a changing a few simple lines of code is enough to make the malware capable of doing that.
Apple also explained how the incident was made possible because developers chose to download the Xcode app building framework from a third-party site, and to disable Gatekeeper, the security technology that would have alerted them to the fact that the framework they downloaded was not signed by Apple.
They acknowledged that the reason why developers chose not to download Xcode directly from Apple, and have noted that they are working on making it faster for developers in China to download Xcode betas. The company also provided instructions on how to verify that the downloaded version of Xcode has not been modified.
“The success of XcodeGhost illustrates that skipping certificate checks and acquiring untrusted software is a fairly normal practice, even for established software companies with millions of users,” Tod Beardsley, security engineering manager at Rapid7, told The Register.
“Most of the time, this risky behaviour doesn’t end up causing any harm at all. Skipping certificate checks is a lot like jaywalking; most of the time, everything turns out fine. It’s not that developers are dumb and don’t know the risks; they simply consider the risk extremely unlikely, and if it’s slightly more convenient to ignore one or two security best practices, they will proceed accordingly.”
This incident might ultimately prove very beneficial for both Apple and app developers. As noted above, the former has already decided to do something about the downloading difficulties developers outside the US are facing. The latter will hopefully increase their appreciation of security precautions and tools such as Gatekeeper.
As a final sidenote: The Intercept’s Micah Lee has pointed out that the XcodeGhost author is not the first one who has thought about fiddling with Xcode – the CIA has already discovered this particular way into the App Store and, ultimately, into targets’ devices several years ago.”