The message started appearing in Chinese developer forums about six months ago: A high-speed download site for Apple’s latest Xcode development environment was now available.
Because the hefty 3.6GB free software package often slowed downloads in China, many developers took advantage of the link, which sent them to a page that listed all recent versions of Xcode, from 6.0.1 to 7, according to an analysis by network security firm Palo Alto Networks. Yet the software was not what it seemed: Malicious attackers had embedded a Trojan horse into many of the programs. Any program built with the infected software would collect information on the iOS device on which the app ran and send that information to a command-and-control server.
The attack resulted in a large number of infected applications–reportedly more than a thousand—invading the Apple App Store in China. In addition, some internationally popular programs—such as WeChat, which boasts 500 million users—were infected by developers using the compromised Xcode package.
In the end, the attack showed that developers are now seen as a step along the path to targeting hundreds of millions of mobile users, Ryan Olson, director of threat intelligence for Palo Alto Networks, told eWEEK.
“I think it should be a wake-up call for developers,” he said. “If the eventual goal is to infect users’ systems, then developers have become a really important step to getting to that. You have a big target on your back, all of the sudden.”
The attack could have been worse. While millions of users likely downloaded infected applications, the software merely could have leaked users’ information, and it is unclear whether it did. In addition, when developers patched their programs, and users updated, the malicious code disappeared along with the older version of the apps.
“We have no information to suggest that the malware has been used to do anything malicious or that this exploit would have delivered any personally identifiable information had it been used,” Apple said in a statement. “We’re not aware of personally identifiable customer data being impacted, and the code also did not have the ability to request customer credentials to gain iCloud and other service passwords.”
Trusting the Compiler Is Hard
Yet while XcodeGhost turned out to be a less-than-tangible threat, the attack provided some tangible lessons for consumers, developers and Apple. Developers have to take the security of their tools, both hardware and software, more seriously.
“It is definitely a supply-chain issue,” said Palo Alto’s Olson. “If you can’t trust your tools, you cannot trust what you produce.”
Compiler malware is not new. The concept dates back at least to a 1974 Air Force security review of the Multics operating system that discussed the possibility of a compiler “trap door” that could “survive even a complete recompilation of the entire system.”
Ken Thompson, the co-creator of Unix, made the concept even more famous in his 1983 Turing Award acceptance lecture “Reflections on Trusting Trust,” when he described a way to insert a backdoor into programs by infecting the popular C compiler. Because the C compiler is compiled by the previous version of the compiler, a properly executed attack would not appear in any source code, but just propagate to any program built by the infected C compiler, including the next version of the software.
“The moral is obvious,” Thompson wrote in a 1984 article based on the lecture. “You can’t trust code that you did not totally create yourself. … I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader or even hardware microcode.”
While the Scare Fell Flat, XcodeGhost Tale Holds Lessons
Apple’s Security Net Does Have Holes
Apple has had great success by combining its signature-checking Gatekeeper software on clients with automated and manual checks of software uploaded to the App Store.
However, the XcodeGhost incident highlights how hard it is for Apple to determine, by looking at the program, whether information-collecting features of a known application are malicious, said David Richardson, iOS product manager for Lookout.
“They can only validate that an app does what it claims to do,” he said. “To Apple, the changes made by XCodeGhost just look like they developed added new features or a new analytics framework.”
Yet Apple also emphasized how difficult it is for developers to have used the compromised version of Xcode. The company pointed out that legitimate Xcode software is code-signed by Apple, and when the software is downloaded from the App Store or from the Apple Developer Program site, the operating system will check the signature of the software.
“Apple incorporates technologies like Gatekeeper expressly to prevent non-App Store and/or unsigned versions of programs, including Xcode, from being installed,” the company said in a statement. “Those protections had to have been deliberately disabled by the developer for something like XcodeGhost to successfully install.”
Apps Update Quickly on Mobile Devices
XCodeGhost also underscored how quickly an updated program can spread through legitimate channels. While PC viruses needed to find ways to move from one machine to the next victim, a malicious application that gets through the Apple vetting process will spread very quickly.
Such an automated update mechanism puts even more pressure on the software developer—or the application distributor, Apple—to catch any bad software, says Lookout’s Richardson.
“The software on your phone is constantly updating; sometimes it happens without your really knowing,” he said. “It definitely holds the potential for a mass infection of a large number of devices.”