Instead of trying to sneak a malicious iOS app past Apple’s verification process onto the App Store, malware writers went after developers looking for shortcuts.
Developers are told time and again to not use unofficial tools, and the XcodeGhost malware should be an object lesson as to why this is a dodgy move. It appears a counterfeit version of Xcode, Apple’s tool for creating iOS and Mac OS X apps, was uploaded to a few popular sites in China. Developers who downloaded Xcode from these alternative sites inadvertently included malicious code in their apps.
The developers may have looked for sources other than Apple’s servers for Xcode because of Internet restrictions and sluggish download speeds. They may have even thought they were using a local mirror site.
“Due to Internet restrictions and longer download times -- people in China are used to using local services,” said Gavin Read, vice president of Threat Intelligence at Lancope.
The method used -- compromising a tool in the build chain -- is not a novel approach. Computer scientists Paul Karger and Roger Schell came up with it 41 years ago. It was popularized as the “Ken Thompson hack” when it was included in Ken Thompson’s Turing Award Lecture in 1984. Modern apps often use third-party plug-ins and compilers, and developers rarely think twice about the safety of their tools. Developers may not even stop to consider whether gcc (the c compiler used by many developers) installed on their machines came from an official source or if it may have been tampered with, for example.
The fact that Apple favors the walled garden approach for its App Store and has an app verification process may have given developers a false sense of security. Developers -- regardless of what language they are coding in or what platform they are building for -- need to be careful about what tools they are using. This level of scrutiny should not be reserved for compilers alone, but also on libraries, plug-ins, and other prebuilt blocks of code.
The presence of XcodeGhost malware in the App Store should reinforce something developers should have known all along: relying on alternative resources is a dodgy proposition and the risks outweigh the benefits. Tools and libraries should always come from known sources, and when evaluating a new library or tool, developers have to perform due diligence to figure out whether the source is trustworthy. Sonatype’s CTO Josh Corman has long touted the benefits of having a bill of lading for software applications, indicating which third-party components from which sources are used.
Attacks like the Ken Thompson hack show the limitations of after-the-fact security. “Analyzing binaries after they are built provides limited assurance against vulnerabilities,” said Paco Hope, a software security consultant at Cigital. Security needs to be a part of every step in the development process, “right down to the provenance and selection of the development toolchain itself.”
While Apple didn’t say how many apps it removed, Chinese Internet security firm Qihoo360 Technology said in a blog post that its systems detected 344 XcodeGhost-infected apps in the official Apple App Store.
“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokesperson Christine Monaghan told Reuters. “We are working with developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
Palo Alto Networks researchers noted the compromised Xcode could have been used to build infected OS X apps. The malware could display fake alerts designed to phish personal information from device owners, open URLs, and manipulate information stored on the device’s clipboard, such as passwords and other sensitive data. Researchers have seen reports the malware displayed dialogs on infected iOS devices, prompting victims to input iCloud passwords, according to the company’s blog post. “XcodeGhost is a very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem,” Palo Alto Networks said.
XcodeGhost has exposed developers as the Achilles' heel in Apple’s security strategy for keeping malicious apps out of its App Store. Due diligence and careful attention to what developers are using is necessary to ensure similar malware doesn’t sneak in to the App Store or the Mac App Store again.