Apple has published an XcodeGhost Q&A page on its Chinese website to explain what the malware is, how it can affect users, and what steps the company will be taking to protect developers and users against malicious software in the future.
Apple earlier today posted an explanation of how developers can make sure their installation of Xcode is genuine, and isn’t compromised by the XcodeGhost code. The Cupertino firm says there is no proof the malware had been used for anything malicious, and claims the code can only deliver some general information about a device’s apps, and system information.
However, Apple says it will be announcing the top 25 most popular apps that have been infected by XcodeGhost on its Chinese website, and will also be alerting users to let them know if they have downloaded any compromised apps.
I’ve heard about malicious apps created by XcodeGhost — what does this mean?
We always recommend developers using the free, secure tools we provide them — including Xcode — to ensure they’re creating the most secure apps for App Store customers. Some developers downloaded counterfeit versions of Xcode that have been infected with malware and created apps that were just as infected.
Apple incorporates technologies like Gatekeeper expressly to prevent non-App Store and/or unsigned versions of programs, including Xcode, from being installed. Those protections had to have been deliberately disabled by the developer for something like XcodeGhost to successfully install.
As part of providing developers the industry’s most advanced tools, Apple provides developers the following checks to ensure software is untampered:
- The Xcode app is code-signed by Apple.
- When you download Xcode from the Mac App Store the code signature for Xcode is automatically checked and validated by your system.
- When you download Xcode from the Apple Developer Program web site, the code signature for Xcode is automatically checked and validated by your system by default as long as Gatekeeper is not disabled.
Why would a developer put customers at risk by downloading counterfeit software?
Sometimes developers search for our tools on other, non-Apple sites in an effort to find faster downloads of developer tools.
How does this affect me? How do I know if my device has been compromised?
We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used.
We’re not aware of personally identifiable customer data being impacted and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords.
As soon as we recognized these apps were using potentially malicious code we took them down. Developers are quickly updating their apps for users.
Malicious code could only have been able to deliver some general information such as the apps and general system information.
Is it safe for me to download apps from App Store?
We have removed the apps from the App Store that we know have been created with this counterfeit software and are blocking submissions of new apps that contain this malware from entering the App Store.
We’re working closely with developers to get impacted apps back on the App Store as quickly as possible for customers to enjoy.
A list of the top 25 most popular apps impacted will be listed soon so users can easily verify if they have downloaded the latest versions of these apps. After the top 25 impacted apps, the number of impacted users drops significantly.
Customers will be receiving more information letting them know if they’ve downloaded an app/apps that could have been compromised. Once a developer updates their app, that will fix the issue on the user’s device once they apply that update.
We’re working to make it faster for developers in China to download Xcode betas. To verify that their version of Xcode has not been altered, they can take the following steps posted at <developer.apple.com>.