Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


   Apple Alerts Developers about Xcode Downloads

   Adam C. Engst

   The XcodeGhost hack, which enabled malware to worm its way into iOS
   apps by way of modified versions of Xcode that Chinese developers
   downloaded from unofficial sources, has been one of the more successful
   breaches of Apple's security systems (see '[1]XcodeGhost Exploits the
   Security Economics of Apple's Ecosystem,' 21 September 2015). Although
   the company has yet to address either the root cause of the problem
   (China's bandwidth restrictions to foreign servers) or enable digital
   certificate pinning and better app signing within Xcode, the company
   has now alerted all Apple developers to the problem via email.

   [2][tn_Apple-Xcode-dev-warning.jpg]

   The message exhorts developers to download Xcode directly from the Mac
   App Store, or from the Apple Developer Web site, since both of those
   channels allow OS X to check and validate the code signature for Xcode.
   In an acknowledgement that not all copies of Xcode will come from one
   of those two sources, though, [3]Apple's expanded developer news
   posting provides instructions on how developers can verify the identity
   of a copy of Xcode acquired via USB thumb drives, external hard drives,
   or LAN fileservers.

   Again, there's nothing we normal users need to do ' or can do ' about
   this situation, since Apple's security lapses in allowing modified
   versions of Xcode to function and letting malware-infested apps into
   the App Store are simply outside our control.

References

   1. http://tidbits.com/article/15939
   2. http://tidbits.com/resources/2015-09/Apple-Xcode-dev-warning.png
   3. https://developer.apple.com/news/?id=09222015a

.