Following last week’s reveal of the new iOS malware XcodeGhost, which was spread via an infected version of Apple’s Xcode development studio, Apple has supplied instructions for developers to ensure the integrity of the version of Xcode installed on their machines.
Apple has sent emails to developers, offering information on how to check their downloads of Xcode to make sure they are clean of malicious code. The company says if Xcode is downloaded from the Mac App Store or the Apple Developer Center, and as long as Gatekeeper is enabled, OS X will automatically check the app’s code signature, and validate it against Apple’s own code.
Any developers who have obtained their copy of Xcode from another source, (and really, show some common freaking sense, and don’t do that), should follow a set of instructions to make sure their copy is clean.
To verify the identity of your copy of Xcode run the following command in Terminal on a system with Gatekeeper enabled:
spctl –assess –verbose /Applications/Xcode.app
where /Applications/ is the directory where Xcode is installed. This tool performs the same checks that Gatekeeper uses to validate the code signatures of applications. The tool can take up to several minutes to complete the assessment for Xcode.
The tool should return the following result for a version of Xcode downloaded from the Mac App Store:
source=Mac App Store
and for a version downloaded from the Apple Developer web site, the result should read either
Any result other than ‘accepted’ or any source other than ‘Mac App Store’, ‘Apple System’ or ‘Apple’ indicates that the application signature is not valid for Xcode. You should download a clean copy of Xcode and recompile your apps before submitting them for review.
A malicious version of Xcode had been uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China. Those developers then unknowingly compiled apps using the malicious version of Xcode, and then made those apps available on the iOS App Store.
Chinese developers commonly download new versions of Apple’s development studio from servers other than Apple’s official source, due to the large size of the app, which can take a long time to download in China.
Versions affected are unofficial versions between Xcode 6.1 and Xcode 6.4. Affected iOS devices include any device running a version of iOS that is compatible with the infected apps. This can affect any iOS device, jailbroken or not.
XcodeGhost affected possibly hundreds of apps in the iOS App Store. iOS users who want to learn more about the malware, can read this MacTrast article.