XcodeGhost: App Store malware shows the weakest links and Apple’s advantage

xcodeghost gallery

As malware goes, XcodeGhost is unimpressive. Bundled into versions of Apple's Xcode development environment for iOS, OS X, and watchOS, XcodeGhost was distributed within China—but not from Apple’s own servers. When apps were built using the infected Xcode, XcodeGhost hitched a lift.

It’s an instructive tale to look at how this happened, how it might be prevented in the future, and how minimal the impact was, despite the potential. Apple and its customers were lucky by chance and by design.

China's restrictions

The government in China makes it hard for average citizens and businesses to interact outside its borders. Over time, the Great Firewall of China has become even more stringent, frequently blocking virtual private network (VPN) connections and other encrypted sessions. Academics and scientists are kept from having access to up-to-date information in their field, and there’s concern it will lead to long-term expatriate living by those who can work in less-restrictive countries, as well as causing non-Chinese companies to shift or consider shifting operations.

Piracy has also been rampant in China since the dawn of personal computers. At one time, this was largely due to the inequitable pricing of software between China’s developing economy and the U.S., Europe, and other so-called developed nations. As that gap has narrowed—significantly so for the growing Chinese middle class and elite—piracy remains entrenched in part because the government rarely enforces penalties, where they exist.

After many years of fighting illegal copies of Windows in China—a 2011 estimate pegged unlicensed use at 90 percent—Microsoft is now offering free upgrades to Windows 10 from both legitimate and illegitimate versions. (I offer no ethical nor legal judgment on this. It’s a fact and it hasn’t hurt Chinese economic development in technology areas.)

As is well established, even in the face of China’s current slowdown in growth, the iPhone is exceedingly popular there. Developers want to make software to feed this market, which they do both through the authorized Apple App Store and through stores that work with jailbroken iPhones. Many of the jailbreak packages originate from China and are used domestically; some of those incorporate malware, too.

This combination of factors means that developers in China are used to downloading sketchy software, jailbreaking phones, developing software both for the App Store and knockoffs, and have huge problems retrieving large files (Xcode is several gigabytes).

Sketchy situations are the norm

All this may help explain to those outside China's market why developers would download Xcode from in-country servers, disable security warnings, and fail to check whether a distribution had been tampered with. It’s just part of the routine: errors and warnings are ignored because they’re so common. Apple released a FAQ for its customers about XcodeGhost (“Why would a developer put customers at risk by downloading counterfeit software?”) and another gently reminding developers to look for the seal of authenticity.

Despite dozens and possibly hundreds of apps being infected with a malicious procedure; and despite the software affected being on tens of millions of iOS devices. Some reporting indicated that hundreds of millions of users could be affected, but it conflated the total installed base of software popular in China, like WeChat, and the number of iOS devices on which those packages were installed.

As you’ve no doubt read elsewhere, Apple has pulled dozens of apps infected with XcodeGhost, and the impact of the particular exploit was very slight. XcodeGhost can communicate with remote servers, which have been shut down, and was thought initially to be able to phish passwords. Fortunately, it could not.

The inserted code could have been far worse but still highly limited, due to how Apple sandboxes each app and the restrictions on information access. WeChat, among a few others, had the biggest hole, because of access to contact lists, which would allow the malware’s designers potentially to harvest that data and then use it for customized phishing and other attacks.

Wake-up call

This should be yet another wake-up call for developers and Apple, despite the contained fallout. Why isn’t Apple actively monitoring Xcode downloads in other countries? Given that the modified version was kicking around since March, you’d think this would be a routine part of its integrity procedures—and one hopes it is now. We can also imagine more automated checks for previously unseen modules appearing across multiple submitted apps that engage in Internet communication.

Apple may be in the middle of a tug of war with China over being able to host full, code-signed downloads of Xcode on content-distribution network servers within China for all we know. But it’s possible for local servers to host valid, signed copies of Xcode—if against Apple’s rules—so long as developers check.

The odd reaction comes from the anti-malware world, which still doesn’t get why Apple puts the locks in place that it does to minimize the reach of a malware insertion like this one. Lookout, which makes mobile safety apps, posted a blog entry about XcodeGhost that contained this remarkable statement:

Unfortunately due to limitations Apple has placed on apps on the iOS platform Lookout Mobile Security for consumers is not able to detect whether you have an infected app installed in iOS 9. Apple has made recent changes to iOS that make it more difficult for one app to understand which other apps are present on the device.

This is a good thing, folks. While it’s inconvenient in some ways for certain utilities, the less each app is allowed to know about all others except through tightly defined parameters, the more likely integrity and privacy remains preserved.

To comment on this article and other Macworld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon